Mark Eggleston came to cyber security from a career in psychotherapy, and he’s brought that people-centric experience firmly into the C-suite.

“What I like to do is value the interpersonal contributions of each person, and make sure we’ve got a diverse program to cover diverse needs,” said Eggleston, the CISO of CSC, a provider of tax, legal, digital protection and branding services.

“It’s often said you have three resources: people, process and technology. I really believe in following that order. Sometimes you want to go after the first great technology. But that shouldn’t be the first course of action, which should instead be how to recruit and retain.”

Cyber security is actually Eggleston’s third career. He graduated from college in the early 1990s with a bachelor’s degree in psychology, but there was a recession in full swing, so he worked in construction.

Stronger family support

Before long, he went back to school to get a master’s degree in clinical social work. Working with children and adolescents with physical and mental health issues was “wonderful, and very intrinsically fulfilling,” but when it came time to have a family, he wanted to expand his horizons and get other avenues for stronger family support.

His wife suggested he “do that computer thing you were thinking about,” so he went back to school for a post-baccalaureate in management information systems. For many years, he combined his clinical and business skills, first working for a company that did all the continued stay approvals for children across the state of Virginia in therapeutic foster care and residential treatment.

From there, he transitioned to a large hospital system, Catholic Health Initiatives, to help build its national privacy and security program, following the passage of federal health information privacy regulations known as HIPAA.

“I really found it interesting, both from the vantage point of an ex-psychotherapist who always valued privacy, and the administrative, physical and technical controls for security,” Eggleston said. “Being named a HIPAA security official was a begrudging task because typically you were given very little guidance, and people would always joke, ‘Hope you look good in orange ‘cuz you’re going to jail, you know.’”

His next job was with a regional HMO in Pennsylvania, Health Partners Plans, designing its privacy, security and business continuity program. He worked there 17 years until transitioning last summer to CSC.

“It was a wonderful opportunity, a kind of Great Resignation thing after 17 years at one employer,” Eggleston said. “It’s a global organization and has an optimistic and bright financial future. It’s very exciting for me to take on, and I’m using all my past experiences there as well.

Transferable skills

“When you’re in construction, building things, you learn to roll up your sleeves and get dirty, and lead teams in the sometimes grudging work that security can sometimes be,” he added. “And the psychotherapist in me is doing that piece where you get to understand what motivates people, which is definitely a big piece of management. So I still use those different skills in what I do today.”

It was odd changing to a new job after such a long time in another organization where he held various roles and felt “immense comfort” with executive leaders and the teams he built, Eggleston said.

“The biggest challenge here was learning a global organization and an industry outside healthcare. It was interesting to get up to speed on that,” he said. “But security, the controls, the people aspects, the program, the technologies, they’re still all the same. So I latched on for comfort to some of those things that were the same, while pushing myself to embrace the uncomfortable.”

At the year-plus mark, Eggleston wants to make more global changes and efficiencies.

“I hope I’ve earned that latitude with my directs to push them differently,” he said. “So we’re going to continue to call each other out on things and continue to just get stronger together, so I think that’s the next challenge. But I’m sure we will rise to the occasion here.”

When he first started as a CISO, his core function was limiting risk. Now, he sees it as empowering business growth. “That’s a continual journey in conversations with the executive leadership and the board, probing risk tolerance,” he said.

Time crunch

At the same time, there’s no quenching of the thirst for new technology, and it’s a big challenge trying to select the best vendor, he said. A colleague once gave him solid advice: Get new entrants in the market and work with them to develop the product to meet your requirements.

“There aren’t enough hours in the day to vet all the new entrants into the cybersecurity market for technology and some of the process pieces,” he said. “I’m a big fan of getting more aggregate solutions under a single pane of glass and hopefully getting a shorter list of MSPs or valued partners to help us do this so we can work on maximizing that relationship and help them understand our culture and priorities instead of training a new vendor or a new managed service provider every year,” he said.

In the future, this onetime chief privacy protector expects to see more aggregation of the cyber security and privacy roles.

“I do think that we all need to continue building in privacy impact assessments into our security, making sure we’re looking at privacy, just using the minimum necessary information and making sure that the privacy of our consumers and employees is respected when we enable process and technology,” Eggleston said. “That’s a key trend and I think it will continue, becoming more science- and psychology metric-based, especially as it relates to providing cyber education to your workforce.”

Giving back

Eggleston describes himself as “a huge bourbon fan” who “likes to imbibe responsibly.” He also likes to boat and mountain bike.

“Both of those things are also ways that I help deal with mental health,” he said. “Unless there’s a core project, I typically don’t focus a ton on work on the weekend. That’s more about spending time with my wife and three children. In the evenings, it’s usually some work, at least a couple of nights a week. And I also do some side projects, whether it’s side consulting, or mentoring other folks, or just dialogue on LinkedIn.

“Although I’m not a huge social media fan, I’ve gotten a lot of guidance from LinkedIn, and now I like to give back a little bit more on that platform.”

Read the CISOs Connect™ Magazine CISO Spotlight Edition here: