Mark Lynd is a 4x CIO and CISO for several global organizations. He is currently the Head of Executive Advisory and Corporate Strategy at Netsync. Mark has been ranked among the top 5 Global Security Thought Leaders for several years and was a finalist for Ernst & Young’s “Entrepreneur of the Year – Southwest Region. An in-demand speaker, he covers topics like cybersecurity and AI for organizations like Intel, Dell, Cisco, Oracle, etc. He served honorably in the US Army’s 3rd Ranger Battalion & 82nd Airborne. Mark holds a bachelor’s degree from the University of Tulsa and attended The Wharton School.
Recently, in an exclusive interview with Digital First Magazine, Mark shared his insights on the future of cybersecurity landscape, his professional journey, key recommendations for CISOs on how to make informed decisions, success mantras, words of wisdom, and much more. The following excerpts are taken from the interview.
What are your thoughts on where the cybersecurity industry is heading?
On the bright side, the increasing emphasis on cybersecurity by organizations, governments, and the public underscores the critical nature of this issue in our digitally driven world. This increased awareness and emphasis have governments and organizations worldwide prioritizing it and increasing their cybersecurity investments. Technological advancements such as automation, biometrics, and artificial intelligence are helping enhance security. For instance, automation can enforce policies and orchestrate swiftly, biometrics can enhance authentication and identity, and AI can identify anomalies and emerging threats much faster and more efficiently than a team of cybersecurity employees. Also, there is some light at the end of the tunnel regarding the cybersecurity talent shortage, as it is improving a bit, with more training programs and diversity initiatives bringing new people into the field.
However, the threat landscape is becoming increasingly sophisticated. Skilled cybercriminal groups and nation-state actors with ample resources have demonstrated their ability to carry out breaches across a broad spectrum of private and public sector organizations. As more essential systems like vehicles, medical devices, and industrial control systems become interconnected online, the attack surface grows, and the potential for devastating attacks broadens. Moreover, rapid technological developments introduce vulnerabilities faster than many organizations can keep up with, which taxes their ability to respond and/or recover. Because of the increasing frequency and sophistication, it is to envision future attacks with potentially global ramifications.
Despite these daunting challenges, many organizations are getting the importance of continuous cybersecurity awareness and training while adopting a proactive defense strategy and working towards a strong and tested response and recovery capability. Fostering collaboration between the public and private sectors is also crucial in addressing these issues collectively. With vigilance, carefulness, and cooperation, there is more hope that the cybersecurity community can meet future digital demands. However, achieving this goal will require our combined effort and unwavering dedication.
Mark, tell us a little bit about your journey into cybersecurity, and how you ultimately became a CISO.
My journey started in a fairly unusual way, as I was in the United States Army as a paratrooper and mortar Sergeant and was asked to attend a computer school for several weeks to learn fire control for the mortars, which determines the deflection and elevation of the rounds as they leave the mortar tube. Up until that time, I had very little computer access or interest. But, once I started learning and working with those computers, I was bitten by the computer bug in a major way. It was all the push I needed; as soon as I finished my time in the military, I returned to college and received my Bachelor of Science with a major in Business Administration and a minor in Management Information Systems.
From there, I went into industry and worked as a programmer, network engineer, and then management. I often joke a little bit that I was promoted quickly because I had a big mouth and liked to socialize, while most of the techies were more reclusive. As I moved up the ladder working at companies like Amerada Hess, CPS, Metromedia, and Lone Star Funds, I continually re-invested in myself and spoke at events, achieved certifications, and mentored others looking to get into cybersecurity.
Somewhere along that journey, my efforts and thought leadership content sharing caused me to become one of the top three global cybersecurity thought leaders by several of the rankings organizations. I have used this elevation to get the message out to others about the need for cybersecurity and career opportunities within the cybersecurity space.
At this stage in my career, giving back and helping others is a primary consideration for any speaking and thought leadership engagements. It is great that so many larger tech firms are very open or approached with these types of engagements. So talking about STEM, AI, cybersecurity, to veteran’s groups, and a heavy focus on assisting public sector organizations like cities, counties, K12s, and higher education that serve whole communities and provide for those at risk, in need or vulnerable.
It was these kinds of concerns that led me to write the book “Cybersecurity Life Skills for Teens” and finish up another book to be released this Fall regarding cybersecurity for seniors and active adults, as the scams, cyber threats, and other cyber issues are causing real damage to those that are at risk.
Your book “Cybersecurity Life Skills for Teens” was the #1 Release in Teen & Young Adult Nonfiction on Cyberbullying. Can you please brief us about your book and its importance in today’s digital era?
First, I strongly believe cybersecurity is an essential skill everyone should have in today’s digital era. With the rise of cyber threats such as hacking, identity theft, and cyberbullying, It is just crucial to be aware of the cyber risks and know how to protect yourself, your reputation, and your data. Cybersecurity skills are especially important for teenagers who are more vulnerable to cyber issues due to their lack of experience and knowledge in this field.
So, my book “Cybersecurity Life Skills for Teens” is intended to be a powerful resource that can help provide teenagers with the necessary skills and knowledge to stay safe online. It’s great to see that it was the #1 Release in Teen & Young Adult Nonfiction on Cyberbullying on Amazon in May of this year. As a father to several teens, I strongly believe that by teaching teenagers about cybersecurity, you’re helping them protect themselves and empowering them to become responsible digital citizens.
What would you tell organizations that are looking to rejuvenate or build a new security program? What three or four areas would you tell an organization to focus on?
Here are a few key areas, some of which may not be intuitive, but I regularly see as areas for improvement in my daily interactions with customers. I would recommend that organizations focus on the following thoughts and objectives when building or rejuvenating their cybersecurity program:
Invest early in Risk assessment and management. Conduct a thorough assessment of your organization’s cyber risks based on your data and systems, your industry, relevant threats (use threat intelligence or threat hunting to help guide you), and compliance requirements. Use this to guide and bolster your security priorities, strategy, and posture. Ensure you have a reliable risk management process to evaluate, plan for, and address evolving risks continuously.
Keep staffing and training near the top of your ongoing list. Cybersecurity is still a people-led activity. So, hire skilled cybersecurity staff or those transitioning into cybersecurity with potential and provide ongoing training to build and maintain their expertise over time. Focus on technical and soft skills like communication and collaboration and provide mentorship and empathy to ensure a strong team dynamic. Effective security requires the right expertise, collaboration, and a security-first mindset.
Establish clear procedures to implement policies throughout the organization. Then implement these policies and associated technical controls across devices, networks, data, identities, etc. Leverage and use modern security technologies like AI and automation as force multipliers to enhance defenses and capabilities. Remember to review and update policies, procedures, and controls periodically.
This is one of my highest recommendations, as when a cyber-attack occurs, and it is only a matter of time, you will only be remembered for one thing and one thing only… How you responded and recovered. If you respond well, then leadership and your pers will be impressed, and your team will have better job satisfaction; if you do not respond well via an incident response plan, then you will likely end up in the press or on television in a very unflattering way and may lose your job. It is the delicate position we find ourselves in as security leaders. So, ensure you have a regularly tested and actionable incident response plan that includes stakeholders from important business areas within your organization so that you can respond effectively to cyber-attacks. Focus on detection, analysis, containment, eradication, and recovery capabilities. Practice with tabletop exercises given internally and also provided by outside partners.
What are your recommendations to professionals who want to build a career like yours, what are the best practices to adopt, where should they start, what should they practice?
Well, that is a loaded question, but here are some tips, thoughts, and best practices from my perspective to help others that want to build, thrive and enjoy a career in cybersecurity.
By continually investing in yourself, focusing on learning, and staying updated on the latest threats and technologies. This field evolves rapidly, so it’s important to be a learner. Attend conferences take courses, and read blogs regularly to make learning a part of your daily routine.
It is important to obtain certifications that validate and demonstrate your skills, such as CISSP or CEH. These credentials can open doors for you. They will help provide credibility in the industry, and often times due to the shortage of cybersecurity professionals, certifications are often more important than a formalized higher education.
If you enter the workforce or the cybersecurity industry, you can gain experience by volunteering, taking internships, or creating home labs to get hands-on practice with real-world scenarios. Technical expertise is highly valuable in this field.
Invest in and continue to develop business acumen, communication, and writing skills. Remember that cybersecurity is not just a technical matter but also a business issue that requires collaboration, empathy, diligence, and drive. Learn about concepts you might be interested in focusing on, like risk management and incident response. Understand how to communicate technical ideas to non-technical people and executives effectively. Share your knowledge and expertise with others through writing, presenting, or mentoring.
Networking with professionals in the industry through platforms like LinkedIn and Twitter. Connect with others who share your interests and goals and seek mentors early on who can provide guidance and support during the early parts of your career journey.
Remember, if you receive, then give back, as there is no ceiling on doing right.
Consider specializing in areas of cybersecurity rather than being a generalist. By focusing on being highly proficient and becoming an expert in areas like cloud security, threat intelligence, or incident response you can carve out a niche for yourself, which often leads to additional opportunities for growth and advancement. Investing in yourself and developing your expertise is a wise investment that can yield strong returns in the long run.
How do you think we can attract more young people to this field?
Great question and one which I talk about often with others and at events. Here are a few of my thoughts and recommendations. To ensure a secure digital future, it is important, if not crucial to attract young talent to the field of cybersecurity. To inspire the younger generations, our first step needs to be making cybersecurity more accessible. Unfortunately, it is often perceived as a domain reserved exclusively for genius programmers, engineers or someone technical in nature, we must emphasize that cybersecurity offers opportunities for individuals with diverse backgrounds, skillsets and ways of thinking. There is a place for you in this creative, dynamic and exciting field.
Additionally, it is essential to be able to provide cybersecurity education to all, not only those attending universities or community colleges. By offering online courses, certifications and even helping establish cyber clubs in high schools, we can open doors wider and make education more inclusive and accessible. Moreover, widely available mentorship programs can provide exposure and encouragement from experienced professionals in the industry.
Another important point is we must convey that cybersecurity goes beyond earning a paycheck, as it represents profoundly meaningful work that impacts so many. It is one of the very few professions holds the potential to shape our world and empower people more than cybersecurity does. While brilliant technologists play a role in this field, it also requires ethical advisors who can guide decision-making processes effectively, creative policymakers who can shape regulations, and diversity advocates who champion inclusivity. Cybersecurity is for those who want to safeguard the future of our revolution – a revolution that has already transformed civilization as we know it. Hence our focus should be on inspiring minds by instilling a sense of purpose rather than just imparting skills.
If we can effectively communicate the influence and impact of this endeavor, I believe strongly that we can attract younger, diverse and skilled individuals to this field now and for future generations.
What is anything you wish you knew when you first went into this career?
That like in nearly all careers and businesses, cybersecurity is largely a people business. You protect people, interact with people, collaborate with people, and protect yourself and others from people, so knowing and understanding that provides a unique and powerful perspective with which to align yourself with now and in the future. I came into the industry attracted to the more technical aspects and thought it was primarily about engineering and zeros and ones. But really thrived in cybersecurity when I realized it is about people, along with process and technology with a strong emphasis on people.
How can CISOs make informed decisions about which information risks to accept and which ones to mitigate?
One of the most crucial and challenging aspects of a CISOs role is to make well-informed decisions regarding risks. There are no formulas that fit every situation, as each organization has its own unique priorities, threats, and risk tolerance levels. Humbly and transparently, here are a few principles that CISOs can follow.
Begin by considering the organization’s business objectives. Risk decisions cannot be made in isolation; they should align with and support the business’s overall goals. For example, a business cannot operate if the security controls are so restrictive that salespeople cannot sell and operations people cannot operate, so a delicate balance must be used, and that requires perspective and understanding of the business objectives in which to align with and support. So, engaging in discussions with and collaborating with other business leaders within the organization so you understand their most critical assets, processes, and risk tolerances is a must. A comprehensive and clear perspective is vital to have any chance of successfully protecting the organization.
Utilize data effectively. Combine financial impact and likelihood metrics with qualitative insights derived from threat intelligence and threat hunting. Data-driven risk models offer contextual information for making informed decisions. However, it is important to remember that data alone may not be sufficient… Strive for a full 360-degree view!
Pay attention to risk factors. No control measure can completely eliminate all risks; there will always be some remaining level of risk after implementing controls. It is important to address this fact, establish risk tolerances, and continuously monitor them. There are opportunities to account for any remaining or residual risk as well, using cyber insurance or having an outside incident response team on retainer.
Document decision-making processes thoroughly for future reference purposes. This is so important in a business like cybersecurity, where many of the actions and outcomes can have a restrictive or invasive nature to those internally and externally, so document and align your strategies and efforts with the business goals. Sometimes, by simply explaining the context, behind decisions made today, it becomes easier to revisit and reassess them in light of evolving threats, shifting priorities, or drama.
In my humble opinion, by following these guidelines, Chief Information Security Officers can make decisions regarding risks without disregarding significant threats or succumbing to unnecessary security measures. Striking an equilibrium between data analysis, resources, discussions, and proper documentation helps build trust and alignment within an organization.
It’s important to remember that managing risk is a dynamic process involving people, processes, and technology rather than a fixed endpoint or destination.
It is a fact that the role of the CISO is highly dynamic. Given that, what is (are) the most critical success factor(s) that a CISO must show to succeed?
I believe that to excel in the role of a CISO, one must possess a unique combination of qualities, decisiveness, collaboration, creativity, and empathy.
Decisiveness is important. Given the emergence of new and more advanced threats, CISOs must swiftly assess risks and make informed judgments. However, it’s essential to avoid becoming isolated due to decisiveness. Effective CISOs collaborate and work alongside stakeholders from other departments and disciplines to develop comprehensive security plans that align business requirements with technical realities. They foster agreement through listening, transparency, empathy, and building strong relationships.
Equally crucial is problem-solving. As adversaries constantly evolve, their attack methods CISOs must exhibit imagination and resourcefulness when fortifying defenses. It’s not enough to rely on standard procedures; they must devise innovative solutions and garner the resources to operate and support these solutions. Nonetheless, creativity should be balanced with business reality to ensure practicality. Many of the exceptional CISOs I engage with and respect empathize with end users’ perspectives and do their best to incorporate these perspectives, along with the business goals, to achieve stronger outcomes. In other words, develop and employ security measures that empower and facilitate their work rather than impede it.
Ultimately succeeding as a CISO boils down to mindset. It demands the courage to make decisions under great pressure and social skills to rally their teams made up of individuals from diverse viewpoints. intellectual agility is needed so they may think outside the box in an ever-changing landscape and have the emotional intelligence to understand users’ needs deeply.
In my travels and numerous C-level engagements regarding cybersecurity, I have observed that leaders possessing these attributes can assist and empower CISOs to overcome challenges while steering their organizations toward a secure digital future.
Over the years, you have been a recipient of multiple prestigious awards and accolades. What is the secret sauce behind your success?
I’m truly grateful for the recognition I’ve received throughout the years, even though my main drive has always been to contribute towards securing a digital world and helping those that provide critical services to their communities rather than seeking praise. That being said, reflecting on what has fueled my success would likely boil down to these few crucial factors that inspire me daily.
Maintaining an unwavering sense of curiosity. In this evolving field, I make it a daily practice to learn and grow. There’s always something to explore: emerging technologies, potential threats, or innovative ideas.
I surround myself with quality individuals. Candidly, having brilliant and diverse teams of collaborators and teammates makes all the difference in the world. I firmly believe in fostering an environment where unique perspectives are welcomed and highly valued.
Prioritizing real-world impact is something I think about often. While awards hold value if they don’t translate into meaningful work. One of my continuing goals is to make practical contributions that empower organizations to become more resilient and secure. For example, as a security leader at Netsync, I have been evangelizing incident response planning for the last few months to our customer’s CIOs and CISOs. Explaining how they will be remembered by their leadership, peers and communities for how they respond and recover, not for how much they invested in protecting and detecting, even though those are necessary and smart investments. At this stage, making respond and recover investments is just plain smart.
Embracing persistence. The journey toward a reliable security posture is a process of gradual enhancements. When progress feels sluggish, one must keep pushing forward. If a goal seems too large or unattainable in a reasonable amount of time and impacts your team’s job satisfaction, then break it into several smaller goals, so achievement and satisfaction may persevere.
Ultimately, my personal success stems from the work itself and a genuine passion for solving problems; the opportunity to innovate, give back, and leave even a small mark on the world makes all the effort worthwhile. There are always challenges waiting to be tackled alongside talented colleagues.
Do you have advice for someone looking to start a career in cybersecurity?
Embarking on a career in cybersecurity presents an opportunity to have a tangible impact in our rapidly advancing digital world and the safety of others. If you’re starting out on this journey, I advise embracing it as a learning process rather than considering it a fixed destination. Stay open-minded and curious, exploring technologies, diverse perspectives, and evolving threats. To stay ahead of adversaries, bring creativity and critical thinking into play. While focusing on developing your expertise over time, exploring roles within the field is beneficial to gain a comprehensive understanding of the many opportunities available.
Enhance your skills by engaging in hands-on lab work participating in bug bounties, and pursuing personal projects. Immerse yourself in the cybersecurity community by seeking mentors attending events, and building connections with minded individuals. By doing, you’ll begin to comprehend the human impact of cybersecurity – how it encourages innovation, safeguards liberties, and enables everyone to reap the benefits of our digital revolution safely.
Always remember that your contributions will be significant; through securing systems protecting data integrity and providing guidance to leaders, you are making a difference. Cybersecurity is an evolving field that poses challenges but offers profound purposefulness and can be financially rewarding too. Approach it with a mindset for continuous learning and with an unwavering passion for creating a safer world. It will give a stronger sense of purpose.
Remember and embrace that cybersecurity is a journey, not a destination, and the rest will naturally fall into place – believe in yourself!