Sep 3, 2020
Early Days of Security at Morgan
Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity.
Building an Active Community
One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning
eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor.
A Board Presentation and its Lessons
One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of
the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best.
Steve puts forth his theory on how most executives view
themselves and how this influences the way in which you need to
explain cybersecurity matters. He urges CISOs to go through
everything carefully and logically, and to rehearse your
explanation beforehand. He says your explanation needs to pass the
“grandma test” before you speak to an executive. Listen to the
episode to discover what he means by this. Steve also
illuminates why a lot of security people struggle to explain
themselves. He points to who they surround themselves with and how
they need to shift their thinking when
speaking to leadership.
Unrealistic Expectations and Stress on CISOs
In this episode, we also touch on how studies have shown that
CISOs tend to have high levels of substance abuse, divorce,
physically poor health all from stress, as we’ve discussed in
previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a
breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know
the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on
business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the
business itself and not on you, and how who you are isn’t the same as what you do.
What Steve Loves about the Job
While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the
episode to hear more about why this community means so much to him and why, in his opinion, it’s the best professional community out there.
The New CISO
Lastly for Part 1, we discuss what the new CISO means to Steve. His answer may surprise you. Tune into the episode to find out what that is.