When young cybersecurity practitioners ask Marcos Marrero for advice, he turns the tables and asks them why they want to get into the field.
“The reason I ask is because if you get into it for the wrong reasons, you’re going to burn out and leave,” said Marrero, the Chief Information Security Officer at H.I.G. Capital and a member of the Esteemed Board of Judges for CISOs Connect’s 2023 Top 100 CISOs (C100) awards.
“You have to have an innate passion for either technology or cyber in order to really be able to stick with this as a career, let alone be successful in it,” he said. “So do not do it just because of all the hype around it, or because you’ve read or heard about the compensation in the field. You have to do it for the right reasons, and in doing so, you’ll reap the benefits.”
Marrero got into cyber while working at a help desk in Miami for the private banking arm of Lloyds Banking Group.
The Federal Reserve had instructed the company to hire an information security officer, and Marrero received the ticket to set up a computer for the company’s new information security officer. Security intrigued him, so he asked for advice on how to break into the field.
Several months later, the new infosec officer brought him on to his team, promising to teach him on the job.
“I came in as an information security analyst and rose through the ranks to where I am today,” Marrero said. He’s spent most of his two-decade career in financial services.
The two traits a successful CISO must possess are knowledge of the industry, and a dedication to leading and serving others by example, Marrero said.
His parents instilled in him a commitment to service leadership from an early age, so giving back has figured centrally in his professional life, he said.
“Ever since I can remember, I’ve always been one to help, always been one to serve others, to mentor, to lead,” Marrero said. “From a career perspective, then, what I look for are individuals who reflect that same type of character. Individuals who do not just see it as a job but have an innate passion for the subject matter and the industry.
“This passion is crucial because that is the only way that you really are going to contribute positively toward the industry, and at the same time reap the benefits of it in your own professional career. Giving back demonstrates your passion for it.”
Marrero mentors informally, and in recent years he has also been teaching cybersecurity with Microsoft TEALS, a philanthropic program that promotes computer science studies in rural and low-income community high schools.
“I’ve seen not just the impact that it has on the individual or the child itself, but the impact it has for the family, because you are now changing generationally the direction of that family’s life by serving as a role model to siblings, cousins and offspring, and significantly augmenting the family income,” he said.
“I came from a low-income background in where my parents were working “24/7” just to keep things afloat. And I have a lot of childhood friends who unfortunately went down the wrong path in life because they did not have access to the right opportunities or didn’t have guidance from a leader or from parents or from some sort of a mentor to help guide them. So, I identify with it very, very closely because I see myself in those kids 30 years ago. All it takes is that one break.”
Marrero sees the CISO’s stature continuously elevating within organizations as protecting information becomes ever more critical in an increasingly digitized world. At the same time, he said, “it is also up to the CISO to demonstrate value within the organization by contributing to the bottom line through risk reduction.”
Fear, uncertainty, and doubt over new accountability regulations are dogging the CISO community, but Marrero thinks that’s an area “that is blown out of proportion.”
“If you do what you have to do, you’ve documented, you’ve communicated, you’ve done all you can, you’ve washed your hands at that point,” he said. “If action does not want to be taken, then action does not want to be taken. But if you have made folks aware of the consequences of inaction, you cannot be held liable either legally or regulatory-wise. You have done the best that you can. Just make sure you document it.”
A top challenge today is the same challenge that plagued cybersecurity chiefs 10 years ago, Marrero said.
“It’s about positively influencing within the organization, getting people on your side to do the things that you need them to do or not do to keep the organization safe,” he said. “Security is everyone’s responsibility. It is not just the CISO’s or their security team’s. No one person or department can successfully do that.”
In his scarce spare time, Marrero likes to catch up with family and friends, take care of home repairs, and go scuba diving in his south Florida home base and the Bahamas.
“Technology is my hobby, but scuba diving is one non-tech hobby that I like,” he said.