In a way, it was music that led Kevin Morrison, the CISO of home construction firm PulteGroup, to a career in information security.
“I was always musically inclined,” he says. “My parents were both musicians, while my older brother played trombone, and my younger brother played saxophone. There was always music around the house.”
Morrison learned to play the drums at an early age, and then acoustic guitar in high school, and eventually joined a band in the Seattle, Washington area in the mid to late 90s. The lead guitarist – a software developer who worked with a contractor was working with Morrison on the band’s website. “I caught onto HTML pretty quickly and he said, ‘Hey, you’re pretty good at this stuff. You should do this for a living.’”
The musician friend introduced Morrison to his IT contractor, who found Morrison his first IT job. The rest is history.
Morrison was fortunate that his musical parents were also into technology. When he was about nine or ten, they had an Apple IIe computer in the house. Morrison also had a technically inclined older brother. “He would say, ‘Hey Kevin, come check this out. Press the space bar.’ After doing so the whole monitor would read: ‘Kevin is a dork, Kevin is a dork, Kevin is a dork.’”
Kevin fell in love with what could be done. “I told myself, ‘I’ve got to learn how to do that!’”
Aligning education and career
Morrison had already completed an Associate of Arts, when he decided to complete his undergraduate degree seven years later. During this time, he was already in IT and Information Security. Two years later, he started a full-time, on-campus evening MBA program at Pacific Lutheran University – all while he was employed full time.
“I went to grad school to better understand the business,” he says, acknowledging the need to complement the technical side of his experience. “I knew that if I were to mature and grow into leadership roles, I needed to do it.”
He completed his MBA with emphasis on technology and innovation management, looking at disruptors within the market and understanding how such innovation enabled businesses to succeed.
Now, at just a few months into his new job, Morrison feels fortunate with his colleagues at Pulte. “There are no egos,” he says. “People genuinely want to see others succeed. Everybody understands the mission and feels like they are contributing.”
The demands of the job are clear to him as well: “I get what Security is up against. You have to satisfy your shareholders, protect the brand, be an agent for culture change, enable and not be an impediment to the business, compete for limited resources and competing priorities, etc. I’m always seeking optimal ways to address risk to the business and that requires input from a lot of different stakeholders.”
At the same time, he also needs to balance risk and cost. “What are the controls already in place that may not be fully leveraged and how can we maximize them? New technology and innovations are certainly improving the Security team’s ability to address today’s threats and risks, but it’s not always the shiny new solution that is needed. With the right focus and approach, there’s a lot that CISOs can certainly do to impact the trajectory of business success.”
The job of a CISO is never easy, but Morrison can sleep soundly as long as he feels he has visibility of all risks and threat vectors, if possible. “Visibility is key from a risk management perspective.” He also believes that an organization must foremost take care of the basics. “Many breaches have occurred simply because organizations have not had sound fundamentals and good security hygiene.”
At the same time, the awareness aspect has to be high priority. “You coach employees so they are better prepared for understanding how to detect threats to the organization, such as phishing.”
Morrison likens a sound security program to building a house: “If you put in top-of-the-line hardwood floors and granite countertops, but were sloppy and built a faulty foundation, then those expensive investments will be worthless, as that house isn’t going to last very long.”
Despite his busy schedule, Morrison makes time for the more important things in life. He likes spending time with the family, saying he is blessed to have a fantastic wife and kids. He plays golf, and enjoys the outdoors and reading. And of course, he remains an avid musician, still playing the guitar and drums.
“It’s a peaceful time and brings a good balance when I am able to do those things.”