Interview: Michael Welch, CISO, OSI Group

Professional sports is an elite field that few can call their career. And even fewer can claim a career path from professional athlete to cyber security leader. OSI Group CISO Michael Welch is one of those few. As the newest member of the Cyber Security Hub Editorial Advisory Board, Welch sat down with Editor Jeff Orr to share his journey in cyber security and provide an outlook on the industry that has provided him many challenges and rewards.

CSH: The journey for a CISO seems to have many origins. What’s your story? And how did you end up where you are now?

MW: I got into security through an untraditional route. I went to college on a sports scholarship to play baseball and I got drafted and played a few years for the Texas Rangers franchise. Injuries sidelined that career, so I had to ask myself what I am going to do now? My brother was in technology at the time and he gave me a book to read on computers and I liked it. And that’s what I have been doing now for 22+ years.

I started as a programmer and gravitated towards the security side of things with an interest in firewall configuration and designs. After practicing that for a while, I got into consulting. You get to see lots of different environments and work with a lot of different customers. Consulting was my focus for a number of years.

As you get older and start to have a family, you reflect upon your experiences and set a goal of where you want your career to head. In the security field, everybody strives for the CISO role. Knowing that the CISO role isn’t only about security, but also about understanding budgeting and the different factors that a business needs to operate, I went and got my MBA.

After that, I started looking at new opportunities. I found one that was almost a clean canvas; they didn’t have a CISO role before and customers were asking them about security. They wanted to bring somebody in to help build the program. So for me, being new and having a lot of consulting experience, I had done all of the things they needed, but didn’t have to inherit someone else’s legacy security environment. This opportunity presented itself and it’s been a challenging and rewarding process for the last 2 years.

CSH: How did consulting help you be successful entering business when there wasn’t a historical security role?

MW: Consulting taught me how to find what’s important for the business – whether it be compliance, security, etc. – and establish best practices. Being able to adjust and multitask was a natural transition from consulting to the CISO role. There are a lot of synergies. The CISO role is not about the technologies; it’s about building relationships within the business and developing a roadmap that shows the plan.

CSH: What is the biggest myth about the enterprise CISO?

MW: The biggest myth about security is that it can be done later; that it’s a byproduct. The whole mold for IT is changing. It used to be that IT was looked at purely as a cost to the business. Now, IT is looked at as an enabler of business.

Security has taken on that cost roadblock role. Sometimes people don’t bring security into the conversation until it’s late in the game and that’s doing it a disservice. Security is not meant to be a roadblock. Security is meant to be a transparent way to protect the business and the customer. There is no such thing as 100% secure, so the role of CISO is to manage risk for the organization.

See Related: Global CISO Of OSI Group On Hacking Humans

CSH: What motivates you to keep pushing ahead every day in the security field?

MW: My job is to protect the company and the brand. In order to do that, you have to build relationships. Some say that people are the weakest link, but I believe that people are your biggest asset. Most problems are introduced into systems by people, whether it’s clicking on a link containing malware or opening an email attachment that contains a virus. Educating and partnering with people is critical to the overall security program of any company.

The advancement of technologies and level of attack sophistication occur at a rate that really keeps things moving along in security and you have to stay ahead of it. Building those relationships, helping employees protect themselves at home and at work, and making sure the company is safe are the things that motivate me.

CSH: Conversely, what concerns do you have about the state of cyber security today?

MW: My concern is that the attackers collaborate better than the industry does! Their tools and techniques are getting so much better. The two things that concern me the most are the extension of the enterprise perimeter and shadow IT behavior.

The extension of the enterprise perimeter due to cloud computing introduces additional risk for the organization. The potential benefit is that cloud service providers have many resources and spend on building secure processes that go beyond what any single organization can deliver. Extending the perimeter is something that every organization must now embrace.

Business units can now stand-up entire services without bringing security into the picture. This is the shadow IT phenomenon. The services are no longer on-premises and out there in the cloud. This goes back to the need to identify and build relationships with all of your business stakeholders. Chances are that the legal team reviewed a contract for the service, so that may be a control point where security can be introduced into a conversation that it might otherwise not known about.

CSH: Is the cyber talent shortage a reality for you? Or is this the hand that was dealt and organizations just need to live within their means?

MW: Is there a cyber talent shortage? Yes. You deal with that through education and mentoring and providing input and guidance to an IT person that there’s additional opportunities for them. Also building relationships with stakeholders in the business as well as third-parties. Some companies want to run really lean and leverage 3rd parties where appropriate to offset some of the talent shortage we find. Any type of infrastructure you may have in remote locations is likely to have a lack of talent in the geographical area. So, you have shared services, remote working, and work with the hand that you’re dealt to the best of your ability, supplement with 3rd parties where necessary and where understanding the associated risk, but it can be done successfully.

See Related: Building The Business Case For Enterprise Third-Party Risk Management (TPRM)

CSH: What are some of the ways to prepare/contribute today towards the next generation of security leaders?

MW: University outreach and interns bring an opportunity to expose more people to security and other departments within the business beyond their school studies. Bringing awareness to what is possible and the path to pursue that career is what helps alleviate the concerns about a talent shortage.

Be willing to mentor and provide guidance. Stand up in front of people and share what is current industry and where it’s going. How can it impact you? Cyber is the anonymous, the unknown. It impacts you in the office and at home. If you can engage and motivate people, you may give them insight to a new opportunity or career path.

CSH: If you were able to give your younger self a piece of advice about the security industry, what would it be?

MW: Spend more time coding. The foundation of everything is code. Having a mindset to consider how things work and how to reverse-engineer the behavior of a packet would have been a valuable insight to make things easier for me today.