Deloitte is one of the largest professional services firms in the world, providing services in audit, consulting, financial advisory, risk management, and tax. AuditBoard is a compliance and risk management firm that agreed a $3 billion acquisition by private equity firm Hg in May 2024. Kevin Winter (Global CISO at Deloitte) and Richard Marcus (CISO at AuditBoard) are top CISOs for these major global firms.

The primary purpose of SecurityWeek’s CISO Conversations series is to help ambitious security professionals plot a path toward, and understand the changing role of, senior cybersecurity leadership. We start by looking at the routes already taken by today’s top CISOs.

Starting point

The traditional route into cybersecurity is from a technical background in IT. This still applies, but the role and remit of security has expanded from ‘just stop the bad guys’ into ‘help make the business more profitable’. This requires an understanding of business as well as technology.

Neither of today’s CISOs followed that standard route – both moved from a non-technical background into cybersecurity. “I was a psychology major at university, with visions of going to medical school,” said Winter. “But I couldn’t really afford it; so, I joined the Marine Corps.” It was a good move: he learned both technical and leadership skills.

Marcus studied finance and entrepreneurship at school. “I think that has given me a unique perspective on cyber through a degree of business acumen that must be learned separately by the folks that come up through more technical roles,” he said.

Career path

Marcus’ first job was on Wall Street, doing equity research. But then came the 2007/8 housing crisis, and he changed direction. “A friend was at a startup, and I joined him. It was Edgecast.” It was here that he saw the potential of technology and the need for cybersecurity to maximize that potential.

“I saw an opportunity to do challenging and meaningful work that other people were not necessarily excited about. So, I made that my focus, to go and learn those skills, and help the company fill those gaps to grow and achieve its objectives.”

His first task was a PCI audit. He didn’t know what PCI was – but it became a 90-day crash course in technology, security, and business. He accepted and expanded the role, becoming manager of security operations before moving to Verizon Media as senior manager, GRC. He became director of information security at AuditBoard in 2019 and is now AuditBoard’s CISO.

Kevin Winter, Global CISO at Deloitte

Winter’s military service was with the Joint Task Force – Computer Network Operations (JTF-CNO). “It was charged with defending the DoD networks from hackers.” The military taught Winter about networks and cyber.

His first civilian job was with Booz Allen followed by SRA. He went back to Booz Allen as CIO before moving to Deloitte as US CISO – and is now Deloitte’s Global CISO.

The point, in both cases, is that you don’t need to plot a specific career path in cybersecurity from an early age if you are willing to continue learning and recognize and accept opportunities as they occur.

The role of the CISO is difficult to define because it is in constant flux–external pressures (hackers), internal demands (compliance), and the availability and use of technology (AI now and quantum to come) all continuously evolve; and the CISO is required to absorb and adapt.

The CISO’s hierarchical position is one example. The traditional and still most common position is for the CISO to report to the CIO. This relationship is becoming more nuanced as the importance of security to both defend and promote the business is better understood. 

Winter, who was a CIO at Booz Allen, explained: “The easiest way to get a security program in place is when you own the whole thing. There are some amazing technologists in cyber. They know how to solve and develop software, and they know networks. Security and IT infrastructure departments are operating very close these days, given that security design has grown beyond the early stop, block and tackle approach of buying every product available.” 

He continued, “It’s now ‘design to defend’; and that’s where the cyber team needs to really understand IT operations and the IT operations team needs to understand how to design properly and securely. So, the CISO must be a peer with the CIO – and in many cases I’m seeing the CISO leading in the design work. We’re doing a lot of that here at Deloitte, with security leading the design of the network, because we’re entrusted to do it in a secure way.”

AuditBoard has already completed that journey and was one of the first organizations to do so. “The CISO is the CIO,” said Marcus. “The enterprise IT function reports up into security. This has given us the opportunity to build security best practices into things like identity and access management and endpoint security. It has allowed us to build a secure scaffolding that all other IT goals and objectives hang onto.”

Compliance

Richard Marcus, CISO at AuditBoard

Compliance is another role expansion affecting security, often being considered either a boon or bane by CISOs. It can be both, suggested Marcus. “If you’re in a highly regulated industry, it can help you organize and communicate to your teams what must be done and what must be incorporated into any products purchased or procedures implemented. It can help influence people to do what’s right. That’s a boon.”

But, he continued, “If you’re doing compliance for compliance sake, and you’re not being strategic about where to make investments, or you’re not using it to influence the right behaviors internally, then you’re doing compliance for the wrong reasons. And of course, then it can be a bane.” It all depends on how you use compliance.

Overall, regulations, and compliance with them, have increased the CISO’s workload but also increased the CISO’s standing. It has been instrumental in helping promote the position increasingly, but not yet sufficiently, to a seat at the board, or at least a voice at the table. But one regulation has caused a lot of discussion and not a little consternation in 2024 – the SEC disclosure rules.

SEC requires prompt disclosure of material cyber incidents within four days of determining materiality. The difficulty is that this is ultimately a value judgment for the business and the CISO. The danger is that if the call is wrong, as later determined by the SEC, the CISO concerned could be held criminally liable. This will quite possibly affect how CISOs feel about their jobs, and how companies think about their CISOs.

“I’ve been watching the litigious world that we’re now in, and I’m not pleased at all,” said Winter. “I didn’t think it would go this direction.”

Deloitte is a private company, so it is not directly impacted by SEC rules. Nevertheless, he continued, “I’m not happy with this, because I think when people try to define an event or a cyber event, and there’s 10 renditions of what that means, I don’t think we’re going to get equal reporting. I don’t think people understand the ramifications of reporting or when you need to report into the governing bodies like the SEC. We need to understand what it means, what the outcomes are like, and what they are trying to accomplish. I don’t know if that’s quite clear.”

A CISO can only be as good as the security team. Assembling a strong team requires good selection and effective management: that is, who do you recruit, and how do you maintain top efficiency? 

Recruitment is a balance between multiple individual rock stars and a single cohesive team. That’s a personal choice for each CISO, but usually involves a compromise: the best possible individuals with the widest possible range of diversity that will still make a single team.

Having recruited the team, the CISO must help them excel both as individuals and one team. “I love the Japanese concept of ‘ikigai’,” said Marcus. Ikigai can be defined as finding your life’s purpose – the meeting point of personal passion, skills, mission, and vocation. 

“I think you need to deliver an experience for the security team that checks all these boxes. They need to have interesting problems. They need to be using modern technology with some autonomy over what they use. You need to provide a sense of purpose – that what they’re doing is not just about the immediate technical work, but will have a broader impact on the company, the industry, and the world at large. And of course, you must pay them what they’re worth. I think if you do all these things, you’ll have a very happy and motivated and engaged team.”

Winter has a similar view. “There are so many cyber jobs and there are so few people. If I want the best talent, I need to create a place where they can grow and work and love to be. So, for me, it’s empowering them, trusting them, rewarding them, and giving them opportunities to grow. But yes, 100%, every CISO’s success is completely based on the intellect and labor and innovation of their team.”

Motivation is, however, just one side of the coin. Protection is the other side; and this often requires protecting the mental well-being of both self and team. 

“Cyber is a burnout space,” warned Winter. “People work long hours, especially if there’s an event or if there’s an active vulnerability that needs to be managed. In these times, no-one drops the pen, or the keyboard, until it’s over. For myself, I try to set a visible example with daily walks with my dogs, activity on my Peloton bike, and so on.”

For his team he attempts to manage their stress levels by ensuring and insisting on downtime. “When I recognize that people did put in time, I’ll make sure they subsequently disconnect. I also make sure that no one person is solely responsible for a single area, or topic or department – that they don’t have the additional pressure of feeling the weight of any single event is entirely on them alone.”

Part of motivating a team is mentorship, and mentoring is an important aspect of being a security leader. We look at this from two angles: what advice did the CISOs receive in their own journey, and what advice would they give to members of their team embarking on a new journey.

Best career advice received

Marcus recalls two examples that have helped his career. The first was, “To be successful in the corporate world, you should never say ‘no’.” This was advice given to him by his father. “If an opportunity comes along, figure a way to say ‘yes’, even if you don’t know how to or lack self-confidence. Make the commitment and then figure it out on the way.”

This Is advice he has followed throughout his career. It’s led him into some tough spaces but enabled great and early career opportunities.

“Security is like the janitor of the internet,” he added. “The internet is often a mess that security needs to clean up. In infosec we’re called upon to do those tough, sometimes thankless jobs all the time. So, take the leap, raise your hand and volunteer, and figure out how to get it done along the way.” The unspoken result is greater experience and knowledge – and brownie points.

The second piece of advice came from an early mentor at Edgecast: “Good news should travel fast, but bad news should travel faster.” The point is that CISOs must often deliver tough news to executives who may have unrealistic expectations of security.

“Your job is to be an ethical leader,” he continued. “You must be comfortable sharing bad news, and sharing it very quickly, so you can minimize damage and get the company back on track. You need to be that trusted adviser that the business can count on to do the right thing.”

Winter’s best advice was more an observation than specific advice received. A friend studied for a postgraduate Duke MBA. When asked why, the friend replied, “I wanted to make sure I sat at the table.” 

This made Winter realize that while CISOs delivered briefs, they didn’t sit at the table. “A lot of this was because the executive team or the board just didn’t know what to do. They just wanted security to stop the hacking. They wanted the CISO to take on the technical role, and they didn’t understand the strategic relationship between the organization and the cyber department.”

Winter also went to business school and came out with a clear intent. He wanted to make sure he came into an executive team as a peer and a business partner whose job was to bring a cyber strategy to the business. He translated an early observation into this advice: “Don’t look at your life or your career in the vacuum of ‘I am a cyber professional’. If you want to get into the CISO realm, you must look at yourself as a business partner – you’re the one bringing the cyber strategy; and that mindset is important.”

Advice for team members

The advice Winter gives to his security team is an expansion on the ‘advice’ he received. “Your technical skills will get you to a leadership position, and your leadership style will keep you there. But if you want to transition to be a CISO and you want to sit at the executive level of the organization, you really need to bring more to the table.”

This means you need a wide repertoire of skills – you need to understand all the pieces of cyber. “So, if you’re good at incident response, I say ‘go do something you’re not comfortable with’. If you’re strong in IR and want to grow, I say ‘move out of that role and try a different role. Go do something you’re not comfortable with. If you want to grow, move out of your comfort zone and go into an audit role. Look at your blind spots and make sure you have a full repertoire of skills.’ That will get you where you want to go.”

The advice from Marcus is to focus on the customer, which in this case is the business and its users. “What functions can you build and mature? What can you do to unlock value, strategic value for the company? Do this and you’re growing and developing your skills in a meaningful way and getting personal satisfaction in your career development. But you’re also putting points up on the board for the company and will be recognized for your contributions and impact to the company and customers.”

An important part of this is developing and maintaining relationships with those stakeholders. “If you’re pursuing a CISO role, you can’t really start to be successful until you understand those relationships and what they’re expecting from you.”

When all is said and done, the primary role of the CISO is to prevent cyber harm to the company. With this in mind, we asked both CISOs to indicate where they see the biggest upcoming cyber threats.

Marcus suggests the supply chain. “Businesses and technology are all becoming more interconnected. It’s just the way business operates today. So now we must understand the concept of connected risk, how all the different parts fit together, what risks can be exposed by different entities within the chain, and how you can monitor and protect yourself from those risks.”

We cannot stop third party business relationships, but we clearly have less control over the security of potentially small and not so well defended suppliers. “Over the last decade or so, we’ve invested in shoring up the front door. We’ve invested a ton in application security and infrastructure security and enterprise security – so the front door of the house is well protected. But more and more we’re seeing attackers trying to slip in through the back door and the side door; and they can find those seams to get in a lot more easily by attacking the supply chain.”

Winter sees the biggest threat coming from gen-AI. He doesn’t know how, but that’s just part of the threat. “We’re all looking at gen-AI, but I don’t think we’re yet scratching the surface of what it can do. Nobody really saw ransomware coming even though it’s so simple and intuitive.” Now it’s pervasive, and the fear is that gen-Ai will deliver a similar sucker punch out of left field.

“We’re waiting to see how the criminals and nation states will use AI to up their game, and I think there are many possibilities. But we won’t know what they’re doing until they start doing it. They always get the first move, and we cannot really develop countermeasures until we know what to counter.”

This is the reality of cybersecurity: it is largely reactive to proactive criminality. The threat from AI is that whatever the attacks will be, they will likely be faster, less visible, more compelling and at greater scale than anything we have yet witnessed.

Related: CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen

Related: CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

Related: CISO Conversations: Jason Rebholz and Jason Ozin From the Insurance Sector

Related: CISO Conversations: The Legal Sector With Alyssa Miller at Epiq and Mark Walmsley at Freshfields