Cyber security leader Marcos Marrero is a great believer in mentoring a new generation of cyber professionals. That’s how he started in the business, and that’s how he develops his team at H.I.G. Capital where he heads security as the Global Director of Information Security.
“I’ve hired information security analysts straight from the technology department. They know the technology assets. They know how the business works. They know what we have. Teaching them the security – that’s the easy part.”
This was also Marcos’s path into cyber security. He remembers well the day 19 years ago when he took his first step into what at the time was called Information Security. He was working as a Service Desk technician for Lloyds TSB Private Bank, the private banking arm of financial giant Lloyds Banking Group in Florida when he was tasked with setting up the computer for the bank’s new head of the fledgling Information Security Department. While he was setting up the computer, he asked the new department head how he could get into Information Security. The department head said he was looking to hire a Security Analyst and asked Marcos if he had any experience. Marcos admitted that he had none.
“Doesn’t matter,” said the new Information Security Officer. “I can teach you the security aspect of it. The important thing is that you know the organization. You know what we do, you know who the players are, and you know what we have.”
That was 19 years ago. The Information Security Officer who gave Marcos his first break, to this day, has remained a mentor.
“In cybersecurity, mentoring is very important and we need to continue fostering this practice,” he says. “My first manager mentored me and brought me up through the ranks, and I have and continue to learn so much from him. He was willing to take a chance on me, helping me navigate the potential minefields that Information Security can be. And then he let me go off and do my own thing.”
Marcos credits his mentor with guiding him as he set up different aspects of the banking group’s Information Security program.
“It was definitely a combination. He did not necessarily hold my hand the whole time, but he did provide the required guidance when I needed it.”
He tries to do the same with his staff. He sees it as an achievement rather than a setback when they leave him to step out into the world. “Those are good problems to have. When your folks outgrow the organization and move on to bigger and better things, you indirectly contribute to the community because that’s just another CISO that now is part of the much wider group of CISOs in a particular location.”
An evolving role
Marcos believes that a CISO can come into an organization in two ways.
First, if an organization already has an established Information Security program, the new CISO assesses what’s in place, makes a changes/enhancements here and there and continues running things the way they are with existing staff and resources.
But a second, more enjoyable path is to come into an organization that maybe doesn’t have any Information Security at all, or it has bits and pieces spread out throughout the organization, some of it with the technology, risk or compliance teams.
“You are actually building the cybersecurity function from the ground up and establishing administrative, technical and physical controls.”
Depending on the size and complexity of the organization, the process could take a few years to achieve a good maturity level that one sets out to reach. And then, the CISO could be at crossroads.
“You can be the type of CISO who says ‘Okay, my work is done. I build programs and then I move on to the next challenge.’”
“Or you can say ‘Okay. I built this program, now it’s just a matter of continuing to mature it.’”
In this sense, the CISO evolves from being a technical person to being a trusted advisor to the organization, protecting its assets. CISOs must understand the underlying security technology, but they can’t get into the nitty gritty of things. Instead they need to deeply understand the business and its overall strategy and meld that together with the organization’s cybersecurity needs.
This means they have to be very practical and adaptable with a strong focus on what’s best for the overall business.
“CISOs are no longer the individuals that say, ‘No, you can’t do this because of this compliance or requirement, or this regulation says that you can’t do it.’ It’s ‘Yes, you can do this. But we’ve got to find a secure way of doing it.’”
“I see us as CISOs going into what I like to call Security 3.0; we’ve been at 2.0 for a while now. I think the 3.0 is when we start to mature our controls. We’re starting to get a grasp on things and we have security programs that are functioning. They’re in place, we have a good set of controls. We’re starting to have that exposure to the senior management of the organization. We’ve gotten their attention,” he says.
Organizations, Marcos says, will face challenges because of two things: Lack of staffing, and a continuing mindset, among some, that cybersecurity is simply a way to comply with regulations.
“The issue with the lack of staffing is not that we’re not training folks fast enough. Our problem is that the technology has moved and continues to move so fast we have not had the time to train up the next generation of professionals that’s coming in behind to work within Information Security Programs, be it as an analyst, an engineer, or incident response professional. Because it moves so quickly, we haven’t had the time to properly train those folks,” he says.
On the second issue, “there remain organizations out there that just don’t understand Information Security. They see it as this thing I need to have because some regulation says I need to have it. And even with all the breaches and incidents that you see in the news they still don’t think that they’re a target.”
“Breaches in the news certainly help; when someone in the C-suite sees one of those breaches on the front page the WSJ or New York Times, they ask if it could happen to us. Seize that opportunity. That’s your chance to go in and brief them on that potential issue and what you are doing to reduce the risk of it occurring.”
Marcos has always lived and breathed technology and security. Indeed, he has come a long way from the 16-year-old expat in the Dominican Republic, teaching computer courses to folks much older than he was in his aunt’s computer training school. He has learned much along the way and looks forward to doing more for his organization, for his CISO peers and for the wider community now facing constantly evolving and different security threats.
“I guess this directly relates back to my upbringing,” he says. “My parents always fostered in my brother and me the virtue of helping others. It’s my way of giving back and positively contributing to a greater good.”