What It Really Means to Lead Security. A Conversation with Sean Murphy

Derek: So I think our listeners, first thing, they’re gonna wanna know a little bit about you. And instead of saying “tell me about yourself,” why don’t you tell me what you wanted to be when you were growing up, and looking back, how close or how far did you land on that target now at this point in your career?

Sean: I would say that for my childhood, I was a baseball player, and I was a catcher and a pitcher, but I was a catcher primarily up through high school. And I would, the answer to the question is I wanted to be a catcher in the Major Leagues. Your follow on question is probably going to be why aren’t you a catcher in the Major Leagues? The answer is twofold. One, I wasn’t quite big enough to be a catcher or any kind of baseball player really. Second, I didn’t hit the curve ball very well, so I figured I’d better find something else to do with my time.

And I ended up getting into cybersecurity, much like the proverbial situation where everybody took two steps back and there I stood. Quick version of a longer story: while I was in the Air Force, I took on a role as a program manager for PACS and teleradiology deployments throughout the Air Force, back when that was pretty state of the art stuff. And as part of that, the Air Force had strict security requirements for anything that touched the warfighter’s network. So somebody in my office had to be security savvy under the then Department of Defense, now Department of War, security requirements. So I was that person that got, I was fortunate enough that they invested in me to earn my CISSP and CSSP and take on medical device security.

Derek: Okay.

Sean: And there I was. But short straw, everybody else took two steps back, boom, I’m in security at that point. And the rest is, as they say, history. It’s been a great ride.

Derek: Well, all the stories I hear of riding out the minor leagues in baseball and a baseball career are quite challenging, and it sounds like you took a Major League route being in the military, then healthcare, and now financial institutions. You’ve gone across a few different teams. We’ll let this metaphor die in a second, but a few different teams. So…

Sean: No, and if you look at me now, I could, I’m big enough to be a catcher now. But I was a late bloomer, I guess you could say. But yeah, I look at the guys that are like, they’re bullpen catchers, right? They’re making a million dollars a year. It’s like, what was I thinking? I should have…

Derek: You were a kid. Yeah. How many of us have wanted to grow up and be a sports star or be a police officer or firefighter? All great things. Just things change.

Sean: Yeah. But had I known about cybersecurity when I was a kid, then that’s what I would’ve wanted.

Derek: What is, on a serious note, what’s kept you in the field? What’s the through line for you?

Sean: That’s a great question. So going back to the start with the medical device security in the Air Force, I really enjoyed being in the Air Force because of the mission. I really enjoyed being in healthcare because of the mission. After I retired from the Air Force, I went into other healthcare cybersecurity roles as a CISO, all of which were in the business of cybersecurity for healthcare, protecting health information of our customers, our patients, the folks we serve. Ultimately it’s an obligation, right? But it’s also a privilege. They’re trusting us with their information, and typically within healthcare, they’re giving that information at a very vulnerable time in their lives when they’re not feeling well, or they’re sick, or they’re under the care of some physician or provider. And so I took that obligation very seriously. It felt like real mission.

And then moving into financial services, I’d have to say in particular BECU and the credit union movement felt a lot like being in a healthcare organization as well. One of our core principles is around helping our members with financial health, which is a component of overall health along with mental and physical health. So it still feels like mission driven work to protect the sensitive information of members of BECU. So that’s very important to me, and it’s a driving factor. Because this isn’t an easy job. Having that drive you internally is important to me, and it keeps you going.

Derek: It’s interesting. I think a lot of people would expect a CISO to jump right into all the technical elements, and so much of what you’re talking about in terms of mission is not the technical part. It’s more of the cultural piece. Is there a moment, or a project, or something where it clicked for you that security was more than just the technical elements, that it was a leadership and cultural challenge? Is there something there you could share?

Sean: Yeah. Well, especially as you get more senior in the cybersecurity business. But honestly, from a technical standpoint, that’s table stakes, right? Again, started out in medical device security. I absolutely learned a lot about the technical aspects of medical devices and the security needed to bring those to the warfighter’s network. So the technical stuff is definitely table stakes and you learn that over time. But in order to move up in the organization or become more of a senior leader, you have to transition towards being a business leader as much as a technical one. So you’re the technical expert at the business table, at the C suite table, and you have to be able to talk. You have to put the technical and cybersecurity concepts in terms that make sense to the business and the strategy of the organization. Otherwise the technical speak just gets drowned out, and it doesn’t matter how technical or how savvy you are with technology, it’s not gonna translate well to the CFO. It’s not gonna translate well to the line of business folks, even in healthcare, especially in healthcare, the clinical aspect, it doesn’t drive.

To directly answer your question though, the whole idea of how culture plays into this, there is that expression that culture eats strategy for breakfast or lunch. You take whatever’s your favorite meal.

Derek: What’s your favorite meal of the day as you’re bulking up to be that catcher forever?

Sean: See, we came all the way around.

Derek: You gotta eat all the meals. And breakfast is the most important meal of the day. Which by the way, on a totally different tangent, that whole concept of breakfast being the most important meal of the day is kind of propaganda from the cereal industry.

Sean: There’s your first conspiracy theory. Let’s see if we can run that one for a while. There’s a lot of folks that would tell you that not eating first thing in the morning is actually better for you. So I’m not advocating either one. I just read it on the internet.

Derek: Can’t wait to hear about your new cereal brand that you’re launching. With that, you talking about as you got more senior, you saw that change across strategy, culture, risk, trust, how these things all intersect, and needing to tell the story around whatever the technology motion is that needs to happen. Help us peek into something that a lot of people don’t get experience being around, when you’re working at the board level. What are boards most typically focused on when it comes to cybersecurity? And then what kind of conversations do you find yourself wanting to have even more with boards, given your amount of experience and energy you have used to partner with boards across organizations?

Sean: Well, kind of at a high level, I would say over time the board conversation has really changed from generally wanting to know: are we safe? Are we secure? And that’s always been a tough question to answer, especially honestly, because that’s super important, that you are transparent and honest at the board level, otherwise you’re not serving anybody. But that has changed into more of: how resilient are we? How much risk can we take? Where are the gaps from your view, and how can we mitigate those? Along with, again, how much risk can we take? What is our risk tolerance that we’re still within that threshold?

And then if we make X, Y, and Z decisions in the strategy of the organization, how will that appreciably impact the tolerance levels that we have? And artificial intelligence right now is really a great example of how the conversation is going, because everybody wants to go fast, everybody wants to go at the speed of artificial intelligence and innovate and experiment and really try out all the different capabilities that are coming to bear. The whole thing is to democratize the ability to leverage technology. Everybody’s building their agents now in the organization. So to that end, how much of that can we absorb from a risk standpoint? What guardrails do we have? What guardrails will we put in? And then ultimately, I think it comes down to a question of how resilient are we?

Because I think most boards understand that there will be issues, there will be an incident or a cyber event. I’ll stop short of saying a breach, but there will be some incident or some event that will have incident response and a crisis that has to be addressed. It’s not if, it’s when.

So to that end, how good are we at responding and recovering? How resilient are we? And I think those are the kind of stories and data that the boards want to know and need to know. What do I wish they would ask more of? That’s a good question. In my experience, I’ve been very fortunate with the board interactions because they will flat out ask me, “Do you have everything that you need?” Although that’s a dangerous trap too, because if the board asks you, “What else do you need?” whatever you answer, you better make sure that the CEO and your executive leadership knows what you might ask. If you haven’t asked them and now you’re asking the board, you’re in trouble. That’s a resume generating event right there. But at the end of the day, I’ve been very fortunate that the boards I’ve reported to have always asked, “What more do you need? How can we help you go faster?” And that kind of stuff.

Derek: Cause that demonstrates engagement too, right? Like they’re invested in what you’re doing and how it impacts the organization. And this is probably a question you’ve answered too many times in the last year or so, but can you give us, and we’ll pick up some more of this in future conversations, but can you give us a little taste of how the AI movement has changed what the conversation is like with boards around security? Like how have you seen, even in the last year, AI change what they’re asking of you, what they’re wanting to talk to you about, how they’re thinking about things? Because I know you’ve had to change your organization a lot. So how’s that shown up in the board?

Sean: Well, I think, yeah, and again, moving at the speed of AI, this started a very short period of time ago with: do we have the governance in place? Because we’re hearing about this capability that’s coming to the fingertips, and do we have the governance in place? And from an enterprise view, yes, we have the governance in place, which is good, because as everything started to really accelerate, if we were still working on governance or still thinking about what governance might look like, we would really be in trouble. Because we’re now moving into the space where, as I mentioned before, it’s all democratized. Anybody can build an agent. And so from security controls, do we have sufficient guardrails in place to allow for that innovation and experimentation, and not have to totally centralize it and be so controlling that we don’t really leverage the capabilities of AI and we still move too slow and don’t hit our objectives around AI? So those questions are relatively answered. I’m no different than anybody else. Every day there’s kind of a new thing to consider in terms of those guardrails and how to implement them, and we’re looking at vendors, we’re looking at different solutions, we’re looking at capabilities within our current technology to configure in a way that helps with those guardrails around loss prevention, prompt injection attacks, things like that that we’re guarding against.

So that leads you to what’s next. And the Frontier AI, that’s not so far ahead of us. In fact, it’ll probably accelerate even more than what people predict at this point. And I believe the thing that matters most is that the time between vulnerability identification and exploit, skipping exposure, going right to exploit, is going down to, some people say hours, some people say a day. But I think it’s almost instantaneous. It’s almost a zero day kind of thing: the vulnerability identification from the adversary, there will be exploit instantaneously. You will not have time to patch. Patching will be a continuous thing that’s always going on. I believe we’ll have to get better at resilience, and get a little more comfortable with some downtime that we’re not comfortable with now.

We’re trying for five nines uptime and that kind of thing. If you have to stop and patch and maybe it crashes a system, we got to find a way to be a little more accepting of that than we are right now. It’s not tolerated now. So it might be a little more reality under a continuous patching and configuration model. But ultimately we’re not going to have that ability to risk prioritize patches as they roll in. And we’re going to have to lean on manufacturers for building it in and not having us bolt it on. When something comes to market, I’m seeing that they are scanning their toolsets with the same kind of capabilities that the adversary will have. So when we get it, it should be vulnerability free, so to speak. But we’ll see.

I think that’s the next stage for cybersecurity teams, to be able to provide that resiliency, provide those technical capabilities to really be looking inside our own environment for those vulnerabilities, and putting in the capabilities to do continuous patching. And there’s other areas where development and release cycles will be aided by that capability as well.

Derek: As a lifelong educator and someone that’s written books on security, you kind of opened an interesting door there. What are you telling people that are at a midpoint in their career about where they should be growing their skills or where they should be leaning in and learning? And then on that same token, what are you telling people that are newly minted and entering their cyber career where they should be focusing their energy? I’ll give you the space. There’s probably not one answer, it is unique to a person. But as someone that has done a lot of pay it forward education in your career and led some strong teams, what are you telling them on those two tracks?

Sean: That’s a great question. I think of it this way. I had a mentor one time tell me something that I find myself repeating a lot now: the path that got me to where I am is not the path you’re gonna take.

Derek: Interesting.

Sean: And I think anybody that’s in my cohort in terms of experience and years of service would have the same kind of story, in the sense that many of my peers and colleagues at my level of years of experience started out in something very different than cybersecurity. The degrees are in history and political science and, up to and including master’s degrees and PhDs. It’s only been a pretty short period of time that formal degrees have been granted around cybersecurity, outside of computer science. And so say all that to say, if you’re talking about somebody at a mid level of their career who wants to get into management, then you have to start honing your skills around learning the business and learning how to fit in at the C suite or with your senior executives as peers. Your value is being able to translate the cybersecurity stuff into something meaningful to the people that are running the business. Because unless you’re in a cybersecurity organization, your organization isn’t in the business of providing cybersecurity. Like BECU is a credit union that has a cybersecurity team, and we do very well. We’re not a cybersecurity organization that provides financial services. So as a senior leader, you have to be very mindful of that and learn what the business is and learn how to communicate with the business and learn how to show them the value of the trust that you’re instilling into the system.

Now, on the other hand, if you’re at a mid level and you don’t want to be in management, that’s okay these days. It wasn’t always okay in my day. If you wanted to move up, especially on the pay scale, you needed to move into management and into other leadership. But in cybersecurity, you can be very specialized and stay at an individual contributor type level, be a principal in your field…

Derek: Go really deep.

Sean: And just nail it that way. And there’s no shame in that game, for sure. So I’ve learned that in terms of the generational thing, many people that are coming up are not interested in becoming managers. They’re more interested in really getting better and better, and then maybe even going into entrepreneurial type things like Derek Kalles.

Going backwards into somebody just starting out and getting into cybersecurity, I think some of the tried and true things are still very important. Number one, if you’re inclined to go into a four year degree or something like that, that’s still very important. It still amazes me the percentage of people in the United States that have a baccalaureate degree. It’s still around 30%. Not everybody has the ability to make it through a four year degree.

Derek: Right.

Sean: And it is a marathon. It really doesn’t have a whole lot to do with being smart. It has a whole lot to do with being persistent and taking the long view. Master’s degrees, PhDs, even smaller percentages of the population. So there’s still value in that. I just saw a news report today that even though it’s smart for kids to go into trade schools these days, and I’ve got lots of thoughts on that, that’s a great pathway, but there’s still more earnings power going into four year degrees. Still a good pathway.

But if you’re not interested in that so much, I would point, and I have done this, I would point kids to military service. The Air Force was very good to me. You’re trying to make a point that there’s a lot of news out there around how hard it is right now for people coming out of even four year universities to land their first job, and it sounds like you see some of those conversations happening even in the cyber space.

Derek: Yeah, it’s difficult for your first job in cybersecurity to be at a management level. And usually with a baccalaureate degree, you’re talking about somebody who’s coming into a management level. That’s what I’m trying to say.

Sean: But going back to the idea of military service, it really doesn’t even depend on what job you’re talking about. The Air Force, I’ll talk about the Air Force cause I know it, the Air Force is very good about bringing people in day one, giving them a role that from day one is full of responsibility and technical growth. You’re hands on. Let’s say the first four years earning your CISSP in the Air Force, maybe even following on and getting a master’s degree. And if you join through officer candidate school, any of those options.

But that experience level, if you just do four years enlisted or as an officer, you come out of that with way more experience than your peers would coming out of a baccalaureate degree and then going into one of those entry level type jobs in cybersecurity.

Derek: Interesting.

Sean: So that on the job training and the investment in your certifications, I would highly recommend to anybody, at least think about it, look at it. Any of the services, whatever floats your boat, so they say. But I love the Air Force.

And then beyond that, I go back to certifications. Certifications are important. But last but not least, networking. When people say about getting the first job in cybersecurity, you gotta work a network.

Derek: Yeah.

Sean: So cultivate a network. Professors that you have in college can help. And joining local security groups. ISC2 has local chapters, ISSA in Puget Sound is a great group to be part of, and ISACA in the Puget Sound. And you just…

Derek: Great ideas.

Sean: Network. And as a student, you’re certainly welcome to join those clubs. That’s how you meet people. Word of mouth and all that kind of stuff. So those three things together, I’d say.

Derek: Oh, this is great. And I know there’s so much talk of AI in the marketplace. Where am I going with that, the relationship piece you were just landing on never changes. You always need to be nurturing mentor relationships, peer relationships, subordinate relationships. With that attitude to pay it forward, just looking to learn, having that learning mindset, how can I serve? I think that opens a lot of doors. I know in my career that’s been a critical equalizer, just building friendships, building relationships like with guys like you that are able to steer through lots of different waters.

And I know we’re gonna run out of time. There’s so many more things we’re gonna talk about, which is why we’re gonna have some more sessions with you. But give us a little peek into your day to day for a second. What would surprise somebody about what the role of the CISO is like?

Sean: Well, it’s a great question, and what comes to mind, maybe this isn’t gonna be the best answer in the world, but the thing that comes to mind right away is: I think especially business focused leaders would be very surprised to know the level of archeology that cybersecurity has to do on a daily basis.

Derek: Is this why you tell me you actually wanted to be Indiana Jones when you grew up, not Pudge Rodriguez?

Sean: Well, okay, if you’re gonna go back to that, for me it would’ve been Gary Carter. I was a big Mets fan. And Dutch Dalton. I then became a Philadelphia Phillies fan at some point. Dutch Dalton would’ve been the catcher I would’ve been playing with.

Derek: From here in Seattle, it’s the big dumper, it’s Cal Raleigh. That’s the catcher extraordinaire of the current era. Anyways, you had a real point you were gonna make.

Sean: He’s a great one. There’s no question. I’m a big fan of Cal. The archeology aspect, everybody, every organization talks about some level of technical debt. Any organization that’s been in existence for twenty, thirty, like BECU, ninety years, there’s technical debt. You’ve grown organically, and all kinds of stuff: business processes and things people don’t document very well in some spaces.

Derek: Yeah.

Sean: And it’s all that, right? What I think is hidden from a lot of people in the organization that are focused on business, focused on strategy, or focused on just delivering product is, when we try to do modernization or we try to do security implementations or put controls in place, it breaks so much stuff. Because we didn’t know we were using that application that way, or…

Derek: Interesting.

Sean: We didn’t know this interconnection was dependent on this routing. And we uncover all of these things. We think it’s the best security practice. This is what NIST tells us to do. You overlay that into a business process that’s got a lot of technical debt, you break things. And folks that aren’t in cybersecurity, and maybe not in technology in general, don’t get it. It’s an incident, it’s an imposition, it’s an inconvenience, you’re creating downtime. This is unacceptable.

Derek: Slowing things down.

Sean: Yeah, and it’s all true. But I don’t think there’s an acknowledgement that, “Oh, you know what? We actually caused this. Let us be part of the solution, not the firing squad.”

Derek: How do you, last question here, and I’m sure you’ve faced this one down a number of times in your career, how do you look across at a board, a CEO, a peer, a colleague, and genuinely say, “This is a strong security program,” or “We are secure”? I want to give you some space to process, cause I know this one can go a lot of places.

Sean: When you said “we are secure,” that is not something that anybody should say, because there’s always risk.

Derek: Right.

Sean: If you are connected to the internet, you’ve got risk. So not to split hairs, but you’re talking about security maturity or level of confidence. I go back to the risk tolerance aspect. How close are we to that risk tolerance? How resilient are we in case something goes wrong? Those, and in fact, it’s not in case, it’s when. And those kinds of measures are much more important and much more real than any kind of false confidence.

Derek: Yeah.

Sean: Bravado, or to answer the question directly: “Yeah, we’re secure. We’re secure because some external agency came in and gave us an assessment, and we’re secure because we’ve got a SOC 2, and we’re secure because we have some ISO 27001 certification.” That’s not how you do it. You’re giving false hope if that’s how you answer that question.

But being able to really demonstrate how close we are to the risk tolerance levels, what’s keeping us from being at the risk tolerance levels, and how resilient are we, so it’s really co authoring some key targets, some key thresholds, and then continuously having that conversation back against those at any level in the organization. That’s really how you can say we have a strong security program and we are secure in a relative sense, appropriately, against A, B, and C.

If they would buy it, I wish the answer could be: “We are doing everything we can to be as secure as we can and make it as difficult as possible for the adversary to win.” I think that’s what you’re doing, but that’s not a really confidence inspiring statement. But at the heart of it, that’s what’s really going on. We’re doing everything we can. We’re taking care of everything that we know of. We’re mitigating as much as we can, and it won’t be easy to attack us. But we have to take risk to be in this business.

Derek: Well, thank you, Sean, for joining the Smart Cookies Podcast and providing thoughts into how security really shows up in an organization versus what you read in the news. The balance you have to bring across strategy and culture and trust and risk and technology and, oh yes, of course, now AI. And then bringing in different executive leadership groups and functional groups and product and business and boards and CEOs and everything. It’s a lot to navigate. And I think from all of us, we’re very thankful that your baseball career did not work out and that you became a security professional. We wanna congratulate you on your high school accolades, and we hope to see you in the hall of fame there. And hearing your origin story and how you got to where you’re at, I think that’s something we can all learn from, and then how it’s having to adapt for the next generation of leaders and how it’s gonna be different. So thank you for joining us. Thanks for the real conversation, and we’re gonna be having you on again here soon.

Sean: Okay. All right. Thank you.