1
Marcus J. Carey
“I'm a big motivator. I get people hyped up all the time.”
Twitter: @marcusjcarey • Website: www.linkedin.com/in/marcuscarey/ Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA). Do you believe there is a massive shortage of career cybersecurity professionals? This is going to be a little bit of cybersecurity heresy, but I don't believe that we need career cybersecurity professionals to be able to combat the risks that we currently have and will have in the future. If I could wave a magic wand, I'd enable all information technology, computer science, electrical engineers, etc., to be more knowledgeable, responsible, and accountable for cyber risk. That same magic wand would also eliminate most cybersecurity roles except for oversight and compliance. We bridge the gap by making cybersecurity be part of everyone's job. Each area of responsibility should have cybersecurity stakeholders, such as system administrators, software developers, network engineers, etc. They should play a more accountable role. Together as a group, they would have more skin in the game because they would be directly to blame. I've seen too many times where security teams relegated to the sidelines are somehow still blamed for breaches. To implement this, the executive team must play an extremely critical role. What's the most important decision you've made or action you've taken related to a business risk? The most important decision I made as founder and CEO of a software company was not to implement corporate drug testing. Every business is different for sure, and many cannot allow this. From a traditional business risk perspective, many would argue it's a huge risk, especially if you're employing bus or forklift drivers. I'm about to make a huge generalization about the tech scene, which includes people who build technology and my hacker community. There is a lot of recreational drug use. I'm certainly not advocating or saying that people actively use on the job. I'm saying that if you want technology talent, especially in places like Austin, you may have to take this risk. In a knowledge economy, people get paid for what they know and not what they do on the weekends. Many of the most talented builders and hackers will not apply for jobs if they have drug testing policies. These policies could be blocking talented people who can write secure code for your organization from applying to be an employee. I know there are many counterarguments to this, but it's a risk that I took and would do again in the future. How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions? One of my favorite books is How to Stop Worrying and Start Living by Dale Carnegie because it taught me an important lesson that I still use today. The hardest decisions usually come with worrying about the outcome. The book instructs you to think about the worst thing that could happen and create a game plan for that scenario. It's usually going to go better than that. To be super honest, people or personnel decisions are always the hardest. Most of the technology is about the same. Most of the processes are based on some sort of scientific method if you stop to think about it. People are hard to predict. The most critical decisions surrounding people are probably hiring and firing. Hire for potential, not for finished products. When someone stops believing in the mission, it is time to part ways. Letting people go is tough for most of us, but I've learned time after time that it doesn't ruin good relationships. What's something that you struggle with as a leader, and how do you overcome that? I'm a big motivator. I get people hyped up all the time. Since I'm pumping people up and getting them super confident, it guts them when I'm critical of their performance. I've learned to take a balanced approach where I can't hype people up so much. I also try to talk with them more often so I can microdose any criticism without them feeling like a tsunami just hit. How do you lead your team to execute and get results? Communication is the absolute key. I believe cybersecurity teams should really adopt the mind-set that they are a small business inside a larger organization, even if it's a small team (e.g., one person). Cybersecurity teams are in the business of risk reduction. Everything that the team implements should be with that goal. No bull, just business; your internal and external customers can smell it from a mile away. Do you have a workforce philosophy or unique approach to talent acquisition? I'm confident that if you hire right, anyone can learn how to perform most roles if they are given six months of on-the-job experience. When hiring, make sure that you have a minimum viable candidate in mind. So many organizations try to hire the “perfect” candidate based on exactly what they have running in their enterprise. Even organizations in the same vertical do business and cybersecurity differently. The minimal viable candidate will be kicking butt in a few months. Hire them, train them, equip them, and they'll pay you back in spades. Have you created a cohesive strategy for your information security program or business unit? I highly recommend everyone check out Traction by Gino Wickman. He has an approach that can be applied to any business or business unit. The book is great for setting monthly, quarterly, and yearly cybersecurity goals. Align those goals with the overall corporate strategy. Have monthly and quarterly meetings to track your progress. Hold everyone—including management—to those goals. Practice extreme ownership. What are your communication tips for interacting with executive leadership? Be super transparent. Make sure you are telling the same consistent story to everyone. If you are caught downstream or upstream telling different stories, people will lose respect and discredit what you may say in the future. For example, don't hype risk to get your direct reports to work harder, only to downplay the risk to management. The opposite approach is common as well. People will lose confidence in their mission as an end result. It's terrible for morale. How do you cultivate productive relationships with your boss, peers, direct reports, and other team members? The best relationships are built on a sense of a common goal. For a boss and peers, that mission is corporate success. A productive relationship means making sure that they have the right information to reduce risk. Notice the phrase “reduce risk,” as it is impossible to eliminate risk. Direct reports' and team members' relationships will be fostered on building each other up while reducing risk for the business. Everyone wants to experience professional growth, so by putting your personnel in positions to grow, they'll get what they need from your leadership position. Also, let them know you've got their backs at all times. They will reward you by kicking butt and taking names. Have you encountered challenges collaborating with revenue-generating teams like sales and product development? The elephant in the room for revenue-generating teams, such as sales and marketing, is that they will always want to jump on technology to increase sales and prospects. Development teams will see new widgets, languages, and other technology that makes their lives easier. This is a blessing to the company, which lives on revenue, and can be seen as a curse to a cybersecurity team. The approach I recommend is that you and your team be research-driven and test these tools for yourself so you can understand how the business can use new technology as securely as possible. You have to be in the room when technology decisions are being made, and if you shoot everything down, you won't be in that room for too much longer. Either you'll move on or they'll ignore you. Remember, your job is to allow the business to move fast without shooting itself in the foot. Cybersecurity should be a business enabler, not a hindrance. Have you encountered challenges collaborating with technology teams like information technology and software development? Cybersecurity professionals have gotten a bad name over the years for being the party poopers when it comes to technology. We've been downright disrespectful at times when dealing with information technology and software developers. The best thing you can do is to make sure they understand you aren't there to say “no” to everything. Our job is to reduce risk. Sometimes that means we need to tighten up our IT chops and understanding of the software development process at the organization. Having those people know that we are all on the same team is a game-changer. If they or anyone on your team thinks this is an adversarial ordeal, things will not go well. Do you have any favorite books to recommend for people who want to lead cybersecurity teams? Here are my top five at the moment. I believe we are in the people business, so mine relate to dealing with people and building teams. I choose books that inspire me to be a better person and leader. Sapiens: A Brief History of Humankind by Yuval Noah Harari
