The New CISO Podcast: Leading with a Military Mindset – It’s “We,” Not “Me”

In this episode of The New CISO Podcast, Steve Moore is joined by Steve Magowan, Vice President of Cybersecurity at BlackBerry, to discuss how military teachings apply to tech. First starting his career in the Air Force, Steve Magowan understands how the military mindset can make you an asset in the security field. For clarity, in this post, we’ll refer to the two Steves by their last names.

In this article: 

• Key skills for cybersecurity that can be gained from military experience
• Bringing leadership to the table
• Supply chain attacks
• Differing agendas
• How to get the funding you need as a CISO
• Advice for the new CISO

Key skills for cybersecurity that can be gained from military experience

Although having this skill set is now recognized as vitally important, it’s challenging to find someone with tech abilities who can also manage a team. Due to their work ethic and unique perspective, the military has become a worthwhile option for recruiting cybersecurity professionals. Magowan explains, “In the cybersecurity world, it is really tough to find somebody that’s deeply technical but can also manage others. That would be one of the biggest benefits I would see from a military person.” 

There are differences between military and civilian security professionals. Moore notes that people who have served tend to be more willing to work long hours and share their perspectives to manage a crisis. Magowan states, “One of the other things you get from the military is the work ethic and the attitude which you don’t always find in the private sector. Military people are trained to think a certain way, and you know what you’re getting as far as their work ethic.”

Although Magowan did not have a direct cybersecurity background, a family friend knew of a job for him in the field. With years of consulting and operational technology (OT) experience, he was well suited to transition into, at first, an IT team due to his leadership skills. He recognizes that his military experience opened the door for him, but his hunger for knowledge made him succeed. He explains, “The biggest adaptation I had to make when I came to the private sector was I was accustomed to ‘us, we, and ours’ as the guiding principle. In the private sector, there’s a lot more ‘me, myself, and I.’ I found that to be a tough adjustment, but the magic bullet in my success as a leader has been I bring that ‘we, us, and ours’ mentality, and it’s more [of a] team mentality. It pays back. This is the result of that mindset that comes from military service.” 

Bringing leadership to the table 

Moore asks Magowan which qualities helped break him into the field and assure employers of his leadership abilities. Magowan reiterates that both his military background and his lack of ego made him a worthwhile candidate. He says he knows he’s not the most intelligent guy in the room, which makes him want to learn and figure out how to solve any security problems that come his way. “The most important thing I say to any aspiring leader is, ‘Don’t be arrogant.’ An oversized ego is the one thing that will make smart people do stupid things more effectively than anything else,” Magowan asserts. “One of the biggest things that I brought to that team, is the attitude that I am not the smartest guy in the room.” 

When describing his views on teamwork, Magowan says, “My job is not to know everything. My job is to bring together all the pieces of the puzzle and assist in its assemblance into a picture that everybody can read and deal with. And knowing that everybody has a piece of that puzzle, and my job is to make those people work together, to put that puzzle together properly. I say don’t be a selfish leader. If you’re a selfish person and you think that it’s all about you and your job, all these people in this room, your whole job is just to give me what I want. You’re going to fail.”

Supply chain attacks 

Supply chain risks are a growing threat, and a challenge to people in the cybersecurity world. Magowan shares how security professionals have dealt with these types of breaches and the differing objectives between business leaders and CISOs. He says “A lot of it is, supply chain risk is hugely growing in prominence and notice in recent times, largely in response to nation-state actors. The threat actors have gotten far more sophisticated. A lot of these people have nothing but time and energy and resources to sit around and think of new ways to improve. They have a lot more resources than we do, unfortunately.”

Magowan believes everyone in cybersecurity should understand what happened during the SolarWinds breach. “The-nation state actors were able to work their way into the code build chain of a prominent software that’s installed across thousands of companies. It’s a very sophisticated attack; they carefully managed to get their way in and embed back doors into the code, and then allow that company to distribute their back doors across the corporate world for them,” he illustrates. “One of the things that happened when the SolarWinds breach was announced was there was a massive drop in shareholder value. They lost a huge percentage of their market cap, and angry shareholders came back with a lawsuit; they’re suing the CISO of that organization, accusing him of putting business objectives ahead of security objectives. You always have to balance business outcomes against managing the risk and the threat to those business outcomes.” 

Differing agendas

Next, they discuss the conflicting agendas between CIOs and CISOs. Corporate America has not fully grasped the increasing cyberthreats, making it harder for CISOs to do their jobs. 

CISOs have accepted high-risk positions, which is why they must learn how to communicate with CFOs with their interests in mind: money and business outcome. Magowan explains, “The problem is you look at a lot of CISOs, they report to CIOs across many companies. And I always say CIO and CISO are joined at the hip, but we have conflicting agendas. So when you meld those two worlds, what you’re getting is less security.” 

How to get the funding you need as a CISO

Magowan discusses how it can often be difficult for CISOs to get the funding that they need. He describes, “You can’t speak in security terms. You can’t talk about risk to them unless you convert it to dollars and cents and business impact, such as, what business are they going to lose? How much money do they stand to lose? What is the probability that they’re going to lose $5 million over the next five-year period, and you want to spend $50,000 to mitigate that — that they can compute? That’s where a lot of security leaders fall short. They start talking about, ‘This could happen. These bad guys could break in and then they’ll get this record,’ and they don’t realize that the CEO or the CFO is saying, ‘So what? Why do I care? What does that matter?’ Well, you have to translate that to, ‘If we lose this, we’re going to lose X number of dollars or so much business.’” 

Advice for the new CISO 

To Magowan, a CISO is someone who is an enabler versus a barrier. A CISO’s job is to protect the company against risk and allow the business to succeed. He describes who a CISO is, stating, “You need to be business-aware. You need to be able to communicate with the business and get the business’s attention. The CEO needs to understand why what you’re talking about matters. My job is to protect the company against risk, protect the company’s assets and the company’s interest, and keep us out of the news, but ultimately it’s to be a business enabler. If you want people to follow security, make it easier and people will do it. That’s all about enabling business outcomes.”

Listen to the Podcast

To learn more about Steve Magowan and get more insights, listen to the podcast or read the transcript.