The board doesn’t care about your EDR solution, says Marco Maiurano. The board doesn’t care about your GRC platform, either.
“I know these are controversial statements, but boards want to know risk,” said Maiurano, the Chief Information Security Officer at First Citizens Bank. “They want to know metrics. They want to know the business impact.
“They want to know why you are investing where you’re investing. How are you reducing and mitigating that risk so that they can be assured that you are doing everything you possibly can to reduce the risk as much as you can, and allow them to make sure that they can effectively challenge and govern?
Maiurano was introduced to the notion of risk management as director of cyber threat intelligence and the cyber defense center at AIG, where the hot new topic about a decade ago was cyber insurance.
“When I think about how most folks talk about cyber, we love to talk about technical stuff, but we fail to think that not everybody is a cyber expert. But what a lot of business leaders understand is risk and risk taking,” he said.
Cyber wasn’t even on the radar when Maiurano was in college. As an anthropology and microbiology major, he dreamed of moving to Africa to study epidemiology.
But after graduation he needed a job, and as an intern at Verizon, he unexpectedly found himself managing a team of 100 union employees on the network operations team at the World Trade Center in Manhattan. That office disappeared in the 9/11 attack, and he ended up helping to rebuild Verizon’s infrastructure at WTC.
His next job was running the SAT program for the College Board, with responsibilities including cybersecurity. Cheating was undermining the validity of the exam, so he started doing social media monitoring to try to contain it.
Citigroup then recruited him to help build a cyber intelligence center there, and cybersecurity positions at AIG, Barclays and First Citizens Bank followed.
In his current job, he was tasked with building an information security program from the ground up.
“The board and the executive leadership team had the foresight to say, ‘Our aspiration is to get bigger, and with that comes higher risk. And cyber is one of the key top risks to the organization. So they wanted someone to come in and build a program that would be able to scale,” he said.
Maiurano started almost 3 ½ years ago with a team of 14 people that has since grown to 500 as acquisitions catapulted First Citizens from a regional bank to a national one, opening up a significant amount of regulatory scrutiny.
His experience with risk management has served him well.
“I think the experience from having risk background and the pure operations background positioned me really well with the board at First Citizens because I am able to have a very risk-based conversation around the threats I’m seeing,” he said.
In many large industries, Maiurano sees the role of the CISO becoming more of a true executive role.
“There’s not one board conversation when you’re not talking about a cyber attack or some type of resilience. Regulators are driving a lot of this, but I think boards, at least in financial services, are making sure to engage with CISOs, and there’s an expectation that there is board exposure to the CISO.
“The CISO is not the person in the back room now making sure you’re patching your stuff and writing your reports,” he said. “The role is really around how am I partnering with the business to make sure that I can match their aspirations of where they want to take the organization. And eventually, I have a feeling that you’re going to see more CISOs on boards.”
Maiurano’s biggest challenges today are the regulatory environment and the dynamic threat landscape.
“It’s good and it’s important that we have regulation, but managing it takes an army to do that,” he said.
“And the threat environment is constantly evolving. One of the challenges is to make sure your board, your executive management team, the folks who own the funding, understand that. Peers have said they’ve been asked, ‘Well, nothing’s happened yet, so why should we continue to fund?’ And that’s a really hard conversation to have it you don’t have data and you don’t understand risk.”
The ever-changing threat environment means CISOs must try to keep pace with malicious actors as they use new technologies such as artificial intelligence.
“You don’t want to bring a knife to a gunfight,” so you want to make sure that you are understanding where things are changing and going,” Maiurano said. “Technology is not going to stop, and we’ve got to figure out how to lean into it and make sure that we are leveraging it for good as well.”
CISOs not only have to identify risk, but they also operate the controls to mitigate it. The constant inundation with data, the constant analysis, and the constant efforts to rationalize
create relentless pressure, and that takes a toll on security practitioners, Maiurano said. That makes watching out for the team’s well-being yet another challenge
“Burnout is real in our industry,” he said. “How do you make sure you’ve giving people rest? How are you making sure people are thinking about their health?”
Maiurano decompresses with martial arts – Brazilian jujitsu and Muay Thai. He also loves to travel with his family, with trips to Iceland and Easter Island in the offing.
Does he regret not going into epidemiology or anthropology?
“People often ask why I’m going to do when I retire, and I say, just be an anthropologist. It might be something I would go back into, but I don’t regret not having done it as a career,” Maiurano said. “My philosophy on life is you just go where it takes you. I don’t try to plan everything because as much as you plan, someone else has got another plan for you.”