The role of a CISO is one with many responsibilities. How do people in this position manage and balance everything that comes with their role? Here to shed light with a psychoanalytical perspective on the role is Mark Eggleston, CSC’s Chief Information Security Officer (CISO). He is responsible for the global security and privacy program design, operations, and continual maturation. Join host Matthew Stephenson as he sits down with Mark to touch on topics such as mental health and leadership. Do CISOs need psychotherapy or are they the psychotherapist for their organization from a security perspective? They also discuss the different processes and why delegation and collaboration are critical in managing a team. Plus, Mark shares some insight on the maturing tech he’s looking into to improve processes and vendor relationships.
—
Listen to the podcast here
A Psychoanalytical Perspective on Being a CISO with Mark Eggleston
In this episode, we are excited to welcome Mark Eggleston to the show. He is the CISO at CSC where he is responsible for global security and privacy program design, as well as operations and continued maturation of those things. He also sits on multiple boards. In previous lives, he had over seventeen years at Health Partners Plans, multiple executives and leadership positions, including CISO and Chief Privacy Officer. He started his career as a psychotherapist. Mark, welcome to the show.
Thanks so much for inviting me. I’m glad to be here.
I feel like I got to make the obligatory joke. Should I do this from the couch?
It wouldn’t be the first time I’ve heard that. Everybody hears that. This place is crazy. You’ll get along well here. You’re just what we need and all those types of things, I heard. I like to think that it helps us better understand what motivates people. It helps you stay on track. It helps you make sure you don’t take things too seriously. We tend to take things very seriously when you’re a HIPAA cop or when you’re a security officer. I think it’s a good balance to bring that lens through the workplace.
I think that’s unique for you. I’ve had the good fortune to speak with people who have been in the medical field, whether it’s boots-on-the-ground officers, high ranking officers who become CISOs, but this one’s a first. This isn’t a joke. This is a legit question. Compare and contrast, do CISOs need psychotherapy or are they the psychotherapist for their organization from a security perspective?
Does it have to be one or the other or can it be both?
A fair point.
I would take it back a step and say that all people can certainly benefit from some level of psychotherapy. Mental health has a longstanding stigma in this country and not just this country in other areas as well. I think the more that we bring it to light, the more that we say it’s the same. It’s a mirror image of physical health. It’s okay to go see somebody and talk to somebody.
It’s a good thing. This is certainly prevalent on LinkedIn. People are also very much into seeing executive coaches by the number of times that I’ve been solicited on LinkedIn on other platforms. I think that’s showing you that there is a market need for people to talk about things, mental health is coming out more and more.
Maybe it’s the pandemic when people have been at home for two years and airing their grievances on social media, but there’s a desire, a fit for people to talk about how they can react and be more resilient and mentally strong. I think it’s a good thing. To answer your second question. Do organizations need it? I think that’s probably more set by the board of directors and the executive teams.
As we’ve seen more push for diversity inclusion, it could stand a chance in the future to continue to talk about mental health and resiliency as an organizational piece.
They’re going to set a tolerance for how much they want to talk about, you know, mental health issues and things of that nature but there again, there has been more push for that. Certainly, as there has been more push for diversity inclusion things, it could stand a chance in the future to continue to talk about mental health and resiliency as an organizational piece.
I appreciate your sincerity in that answer. I was going a little more metaphorical on the second one where the CISO is examining the overall body of the organization.
CISOs are well-vested and well-versed in what makes an organization tick. If you look at what a psychotherapist does, they’re doing a lot of the same kind of thing. They’re making decisions and they’re doing analysis on systems. It might be more about the individual’s native strength, the family or the school. All those different settings impact things. I would say that within any organizational setting, you’ve got similar dynamics. I think it’s a good skillset to have.
It is a skillset for you. It’s been a long time since you were a practicing clinician, but what have you brought with you over your career? Because as we said, you have operated multiple executive leadership positions and for seventeen years at one particular company. Also, getting involved in various boards and governing bodies. How has that influenced your leadership style and your approach?
I think when you’re lucky enough to have and build great teams that it gives you some time to go back out and give back. Whether it’s mentoring other individuals, giving a solo presentation or working with the up-and-comer in security to give a joint presentation. Having those opportunities set in front of me helped me. It gives you a little sense of gratitude. I was making a post on this on LinkedIn. A study shows that teams appreciate sincere thank you notes and gratitude.
Lo and behold, the other piece that’s helped people with happiness is when they find gratitude. No matter what your situation is. Are there 1 or 2 things that you can think of and say, “This is something to be happy about?” Even as a therapist, they had a model that I personally appreciate and chose to use a lot in my own practice, which is a strength-based perspective.
Forget about all the dysfunction and all the craziness that happened around you. What is one thing that’s done right? If I was working with kids and adolescents, they had a messed up family and maybe their school system was atrocious, but they did well at baseball. They did something like that. Where can they go out and get the strength and learn to get more motivated about something and feel more positive about something? If you can apply that to the role of the CISO, a lot of times, you’re going to need to focus on, “What is something good that we’re doing and we can build upon that?” If you look at all the bad things because we’re always asked too, “What keeps you up at night?”
It’s a shedload of stuff. When you have so much stuff that can cause you to lose sleep, it goes back to that gratitude piece. What are you doing right? What can you build off that? You’ve got some great passionate team members. Those team members like to learn stuff cool. What kind of resources can you line them up with so that they can feel stronger about their careers and learn more things to do? You’ve got a highly collaborative culture. That’s pretty cool. Some of them have some technical expertise. What things can you throw with them as a challenging opportunity for them to help you out with some of your endeavors? The list goes on and on.
You have been on the technical side of things and for a long time, on the leadership side of things. Reading through a lot of the things that you and I’ve spoken about, some of the articles that you’ve posted on LinkedIn and that Inc. article was interesting. I highly recommend everyone check out Mark’s page on LinkedIn and read through that because there is stuff that I hadn’t thought of why it’s a good idea as opposed to something I used to think was done.
Back to you and the notion of, as you have evolved into the way that you approach things now. It’s interesting that you’re talking to me almost exclusively about people and about culture and about planning and strategy to improve the people. I haven’t heard any mention of any technology yet. Do you still get down into the mud? Do you still tinker on the technical side?
I do. I’m a little different and it may be just because of how I entered this field. A lot of people that are CISOs and security leaders are coming up from the network group. That was the stereotypical old adage that people came up from doing network stuff and then say, “I’m going to try the security thing. They’re getting a little bit more attention.” Those are going to find more technical people. I came into this more from a compliance perspective.
Looking at something called HIPAA, which was new twenty-some years ago when I started. Being able to map controls and then see how I can make things easy. Applying security controls to a vertical, which was very much not used to doing that. Healthcare was very helpful, but what was your question again? I feel like I got off-topic.
Do you still tinker with the technical stuff? Do you get down with the foot soldiers and get dirty?
I do love technology. I think that piece is always another part of my passions, whether it was starting your own computer club back in high school eons and eons ago. Gaming, to a certain extent, was something I used to do. I remember Quake back in my day. You spend hours doing those types of things. Also, my dad’s an engineer and I think genetically speaking, there’s a part of me that’s like, “I wonder how you could engineer this for something else or how does this work?”
How could I take that apart and it’s a car?
We never took anything to the shop like TVs, cars and everything. I was a guy holding the light. I never could do it right for my dad still to this day. That goes back to your point about tinkering. I think natively, intrinsically, I had a desire to tinker with things. Do I still do it now? Not as much as I used to, but I get involved with it at a different level. I get involved with it more from the vendor road mapping and trying to find vendors that are eager and willing to adapt their products to meet our needs. Maybe it’s a young and up-and-coming vendor versus an 800-pound gorilla that will not be flexible enough to innovate around our needs.
It might also be working with a talented sales engineer who knows their technical chop. He has been following that individual round making sure I know where that person is going or who that person recommends for having good technical chops. Trying to spot other people like that who have an unquenchable thirst for tinkering with things and making sure that I can learn vicariously through them.
It’s where I should be viewing things from now. That’s what I’m typically doing. I’m working with someone else and asking them to give me a demo. Show me the configuration setting. Show me how about this SSE stuff. Show me the latest Microsoft E5 product and what are the available options and then we’ll come together with how we can configure these things. Yes, technical, but on a different level.
I feel this smooth segue into insider risk as you are doing your type of tinkering but working with those who are also doing the same thing. As you say, bringing in young companies or startups who are willing to flex and bend their existing products for what you guys need at deep. Does that open the door to potential threats? These would be unwitting. These are people who are trying to ethically hack something in order to improve it to improve your systems in place, but you’re also opening the door to something new or something that hadn’t been planned for. How do you plan for that as the leader of the organization?
That’s a lot of questions there.
It’s only one. It’s a lot of words to get to.
Yes, insider risk is certainly a prevalent threat. An insider risk, in my mind, can be designated into two different groups. You have the people that are, “I didn’t realize leaving my laptop in the backseat of a car in plain view with the doors unlocked would be a problem.” They didn’t mean to, but they need some more education. You’ve got the worst-case scenario, which happens far less, but it is far more devastating. Those are the people that have malicious intent. “I am going to take down your enterprise because you didn’t give me that promotion I thought I deserved,” those types of folks.
Insider risk is certainly a prevalent threat
I think you treat both of those two groups or workforce member groups a lot differently. I do like the idea of certain products and I think Gartner referred to this as mesh networking or, uh, the ability to use APIs and other things to work together. Wouldn’t it be great if someone has a whole lot of issues with failing phishing tests?
Maybe they have a more limited secure web gateway group, so they don’t have the opportunity to expose their deficiencies against a company. It would be nice to make those risk-based decisions. I would hope that technology providers are doing that. Making automated workflow easier for my SOC and other security engineers to address those types of things for insider risk. I’d work with those types of companies all day long.
In a perfect world, a CISO in your or a similar company’s situation, how much of the CISO’s time should be allocated specifically towards people as opposed to the classic PPT, People Process Technology? Where do people fall in that stack rank?
You’ll probably get different answers from my peer group. From my perspective, I would think that you’re working 70% of your time with people, if not higher. You’re working on stakeholder analysis and effective storytelling that captures what your team is doing so you can continue advocating for more resources. You’re working with stakeholders outside of your org chart so you can make sure they understand the value you’re bringing and you can capture requirements from them.
You’re outside doing things like we’re doing now so that other people can say, “I’d like to work for this company. They sound like they’re doing something right there.” Also, looking at other recruitment streams. Maybe it’s going to a college or to a BSides event and doing all these different things to help make sure that you’re branding, your organization and the opportunities that you can provide. At least that high.
Part of your role and something we are seeing a lot more frequently is that the CISO also includes privacy in the title. How big of a split is that or is that something that, for your organization, they’re one and the same?
In my current organization, we certainly work very closely with our legal council and it’s a shared responsibility and that’s working great. At other organizations I’ve been at, I’ve had it both separated and then worked to get it together. I felt that having it together was a stronger gain for the company. I say that, Matt, because they say security is what the triad of CIA, confidentiality, integrity and availability. A lot of that work is highly dependent upon the first one. The confidentiality piece, which is a lot of what privacy’s working to ascertain or accomplish in any organization.
If you got an incident going on, I’m going to want my privacy person 99% of the time to be involved in those incidents to look at the confidentiality factor. A lot of times, privacy’s working on the educational piece and some of the training that we’re doing to help ensure that our organization has strong security IQ, so they can learn from those incidents, do some tracking and some metrics on what type of issues we’re having.
For example, if we’re not validating our callers or customer verification very well, we’re going to impose a new training on that issue and the privacy person can help with those types of distinctions. In healthcare, it was always a misdirected fax. We would do lots of creative training on misdirected faxes from our privacy officer. I think the other piece too, is a lot of folks are wanting to get to that C-level or C-level minus plus one reporting relationship. From my perspective, it’s efficient to have both privacy and a security official rolled into one for board reporting and executive discussions and things of that nature.
Also, seeing the same breath that I am not an attorney, nor do I play one on TV. I think you’re always going to need both outside counsel and internal counsel to help go through and better understand the laws and regulations. When it comes to operationalizing things, I do feel strongly that that’s something that the teams that I’ve led before can help with. We make it easy to make sure that you can do those things and it’s not focused purely on a rigorous review of strict law requirements. I’d like to look at that and look at each law and regulation as a risk-based decision. What can we do to comply with that, but still keep our business growing and not just running?
Does the privacy of your employees fall under your purview or is that a different team?
Employee PII, I think, is still a shared responsibility with our legal team and my team. In my prior life, it was probably more dominant in my role. I would do evaluations. I was doing evaluations for a lot of the HMOs that are providing health apps. You give us some of your PII and show us how you’re exercising. We’ll give you a $10 gift card or things of that nature. Again, we can look at that, help out and say, “This is something you might want to look at or here’s some things or some agreements to do or some other adaptations. Can we go ahead and ask the company, a third party, for these things?”
We’ve been doing that for a number of years with PIAs, Privacy Impact Assessments and vendor risk management. Typically, before you onboard a vendor, you’re going to talk with your privacy and security team to make sure that they’re using only the minimum necessary and what are you doing with retention. If things go south, how can you destroy that information? Those are all things that privacy professionals have a keen eye on and work hand in hand with the security folks to make sure it gets optimized.
You have been in multiple C-suite positions. I’ve said that a bunch of times already. You are also sitting on boards. You are also a prolific speaker where you are in front of a lot of people who do the exact same thing for different companies in a myriad of different ways. How often is not just risk but insider threat a part of that conversation or is that something that is not a niche, but it’s like, “We’re going to this thing specifically to talk about that.” Is that part of the, the more wide open meal, if you would, of conversations?
The last time I had that as a dedicated topic was probably a few years ago at a healthcare seminar when we had the gentleman from Carnegie Mellon. That’s a good approach to insider risk and is laid out in a nice academic model. That’s come up. I also know that with some of the DLP and data governance tools that we’ve had. That’s been a conversation and I think that’s something that a lot of people have been focused on, especially as it relates to unstructured data. The stereotypical example being a file share. A lot of companies that aren’t greenfield, in other words, haven’t been created in the last couple of years when the cloud’s been the dominant option have legacy file shares.
What do you do with all those folders out there that are ripe for the picking for ransomware and also have all sorts of everyone groups or authenticated users have admin rights on those folders? You have to tackle those things and then pass that. You have to make sure you’re putting in some level of RBAC or Role-Based Access Control and some level of automation. There are some nice technology solutions out there that do work on those types of legacy products and are working to jump to the cloud to make sure that you have efficient processes in place for people to ask for access and do recurring access reviews or entitlement reviews, which I think is a big piece of insider risk. Also, it meets the use case for ransomware resilience.
The first thing to do is to make sure people can’t come into the organization to move from East to West. A lot of that has to do with NTFS or folder permissions and making sure that you’ve got those things locked down. I think that’s still very much something that’s talked about. They may not label it as inside risk, but whatever term is going to make it sexier for people to adhere to and get behind it, I’ll call it whatever you want. It’s a really important concept.
Another thing is people always want to get out the latest and greatest technology that maybe solves 10% of your issues, but if people had just set effective RBAC and removed people who’ve left the company, probably they see a lot fewer headlines and negative headlines that is. We speak to some of those foundational components, but that’s nothing new. A lot of my security peers have been preaching that.
You may have dated yourself when you said Quake, but when you said file share, my brain immediately thought of Napster. It probably puts us on the same date if we keep pushing that terrible metaphor. Let’s go back for a riff on my opening question. Talking about the CISO and the pressure on everyone in that peer group. How difficult is it, especially for the CISO in this age of malware, ransomware and nation-state attacks, to take away his or her mental and physical health? Do they have enough time even to take care of themselves?
As Peter Drucker says, do you measure what matters or do you make time for the things that are most important? I’m sure some managerial genius quoted that, not me, but I think that’s important. You gotta make time for what matters. I guess I’ve got three roles here. CISO is one of them, but the father is another, the husband’s another and you can ask my kids and my wife, there are certain weeks that I suck at that. There are other weeks where I’m good at that. If you ask my direct reports, they’d say I might suck on these issues too.
You have to make time for what matters.
The point being is that I’m rotating between these three hats and they’re all very important. I’d like to think that I’m working to support my family, so it helps me get perspective. That’s important in all this. Back to your original question, do we have the time? Yes, but you’ve got to carve that out. You’ve got to be purposeful. Back to your other question, maybe being purposeful is to see somebody and get your priorities in order. Make sure you have the right coping strategies.
I think we’ve talked about this before. Sometimes it’s out breaking away and doing a mountain bike ride. In the summer, you can find me out in my boat most any nice weekend gunkholing. Maybe it’s fishing or crabbing. Those are all fun things to do or just going out to the beach and surf fishing. It doesn’t matter if I catch a fish. Being out there with the water and hearing the waves is therapy for me.
I also think that working out 2 to 3 times a week, especially as I get older, is continuing to be a big point of effective wellbeing. It helps me sleep better at night and helps me get a release. Maybe last but not least, I do have an occasional drink. I know sometimes that can be not such a good thing and I respect people who don’t have that ability to do so or have chosen not to, but for me, having a bourbon on the rocks after a long week can be relaxing.
Also, enjoying different varieties of bourbon with some friends and other CISOs or other security folks is very enjoyable to me. I try to do all those things. Probably drinking should be one of the ones on the lower scale, but working out, staying active and giving back are all good things to help you with your own mental health, for sure.
I mentioned time and so did you. I know that is something of a point for you. I’m going to throw you the ball and clear out, but I will open with this. As a CISO, how can you even do your job, given how many people are making claims on your time? How many meetings a day? How many hours in a day? How many days in a week? Can you even do the job or is the job just doing the meetings?
You’re probably asking for a truthful answer there. How do I want to answer that?
On behalf of all CISOs in the world right now.
Would you rather we say, “You know what? It does suck,” and then go into a bunch of issues or do we say, “This is a big challenge. What can we do to make it better?” I prefer the latter and I think that goes back to who CISOs typically are. They’re a resilient set of folks. My meeting time, Matt, at the low time is 6 or 7 meetings. High scale, 14 or 16 meetings a day. There are times when I don’t have any time out of that and that’s something I look at. It’s like, “That’s on me. I’ve got to fix that.”
You’ll see this from a lot of folks too. What about the power of delegation? Most people don’t delegate because, “Why would I want to teach somebody to do this or set them through this for half an hour if I can do it in 2 to 5 minutes,” and that’s a trap. You have to recognize traps and move beyond those. Also, empower your staff and your workforce to do some of these things. We have some options, some routines and some management tactics that we can employ that are going to help us find the time.
This is a busy role, make no doubt about it. The demands that are put upon you from all the things you just mentioned and so much more with so much executive focus has not subsided in the many years I’ve been doing this. You have to think about that too. What can we do to make things better? There are people out there that are rethinking cyber security and information security. What can we do? In the meantime, you still have a lot of vendors for all too. You have over 4,000 vendors now in the cybersecurity space.
I was just reading a Wall Street Journal article that it was going up. In 2021, an almost $2 billion increase. That’s not sustainable. You have to look at that too. Do you have a chief of staff to help address some of these things? Do you have a different way of engaging with vendors? All these are things that can be solved. I think you have to understand that everybody’s out there to support their family just like you are.
Treat them with compassion and some kindness and make sure that there are rules of engagement set for these things as best we can, whether that’s your internal staff, your vendors, your workforce, and what we can do to make things better. If you’re not thinking about what you can do to make things better, you probably shouldn’t be in this business because as much as we have our hard and fast roles and there are so many smart people in here, we’re pretty novel as a profession. This stuff has not been around for too many decades just yet.
Is there any technology out there right now that’s caught your eye? It doesn’t have to be a company per se. No free ads, but there’s some tech that you feel is maturing. Maybe not quite there yet, but it’s close. They’re ready to be called up to the big leagues if they can only maintain it for one more season, one more month or that sort of thing.
From my perspective, I’m loving vendors focused on vSEC, software security edge or service edge and/or security service edge. Basically, putting a lot of the different security controls in an agent or with a sole provider. We used to have a SWG, a Secure Web Gateway and then we have an SEG, a Secure Email Gateway. You then have a DLP engine. You have all these different things from various competing vendors or different providers, sometimes even different agents. The thought that you can get all that and then also get increased performance, there are a couple of security vendors who are doing that and it’s nice.
When you think about it, DLP and a secure web gateway should be together. CASB should be together in that. It makes a whole lot of sense. I think those vendors are going to be probably some of the bigger disruptors because they’ve already got massive amounts of customers. They’re doing some rapid innovation. There are two vendors that are in high competition there. I think that they’re going to continue to force each other to be better. We’ll continue to look at those types of vendors. As it relates to insider risk, they should be able to correlate things better too.
There are other technologies that I’m not as keen on, like SIM. SIM has long been chewing out security professionals for a couple of decades now with not as much return on the investment. If you’re able to look at more events through SSE vendors and they can correlate both cloud and on-prem pieces and these risk-based decisions to what assets you can get access to via claims rules or step-up authentication, that’s the holy grail right there.
More machine learning, perhaps not artificial intelligence. I still love my team to make a lot of those decisions, but if they can prime the pump and say, “Here’s a decision you might want to make,” and you can click a box to execute that. It goes back to a piece or some kind of mesh fabric that’s going to allow a decision to operationally be impacted on another tool, that’s great. That’s what we need, too, with some of the issues with hiring staff. The more we automate and the more we get our vendors to play nice together, the better off we’ll be.
You already beat me to the punch at a lot of leadership corners. When we ask, “What are you doing when you’re not doing this?” I’m going to sharpen this up a little bit and say, “What’s on your playlist? What are you listening to? Are you reading anything good right now?” We know that you ride your bike on the ocean to surf fish and then have a bourbon after it’s over. What are you listening to while you’re doing that or if you’re reading something while you’re having the bourbon?
I still listen to a lot of my ’80s and ’90s playlists. It wasn’t too long ago that I got my Apple Music in a serious subscription, to be honest with you. I would still play around with my little USB key with 1,200 different CDs from yesterday.
You got your real player.
If I was looking to get amped up, maybe it’s Rage Against The Machine. Maybe it’s Tool. I’ll even go back and listen to Helmet or some older stuff. If it’s something that I’m looking at that I need to focus on more, maybe it’s something more new age or from the baroque period. Maybe it’s got to help me. I’m all over the map when it comes to musical taste and things of that nature. I dig in Silversun Pickups. They put out a new EP, which is good. I get to see them in concert. I’m looking forward to that. Every time I go to see a concert, I’m like, “I got to do this more.”
It opens up this section of my brain that I don’t use as much as I used to. I’m more analytical and not as much in the artsy stuff. What else do I read? I’ve got a boating magazine subscription in Clippinger because that’s where I’m at in life, looking to see how to maximize retirement strategy and boring stuff like that. I’m a prolific reader of LinkedIn and other business porn sites, whether that’s Gartner and dark reading. There’s so much cybersecurity and information security stuff that comes up that keeps me quite busy.
Sometimes, I’ll cook. I think over the pandemic, I explored. I think it was in the New York Times who were sending out free recipes that were just fantastic and a couple of the more creative vendors created home meal kits. It’s their take on Blue Apron, etc. I enjoyed the heck out of that and grill some, but I’m not a hardcore griller. There are lots of different fun things to do there.
It is shameless plug time and this is again where I get out of the way and please be shameless. Many people hate talking about themselves and what they do if they’re doing cool stuff. I think you’re doing some pretty cool stuff. What is your website, social media or any events? If you’ve got speaking things or conferences or even charities that you’re involved with that you think are worthy, please share them with the world.
I would go out to our website and see the career section. I believe there are 2 or 3 open positions we may have. We try and keep those down to a low number, but occasionally, we do get an opening. If you don’t see what something’s out there, then hit me up on LinkedIn. I would love to hear what you’re looking for and see if we can be of help. That is a big piece that I do like doing. It’s connecting people. I get lots of different opportunities sent my way. I’m quite happy where I’m at. If I can help bridge someone else’s next step up in their career, that makes me quite happy.
The man is active on LinkedIn. Make no mistake. The article he’s talking about is recent and then I read three that he had published.
There’s lots of good stuff. I often look at my team and say, “How can we make this simpler? How can we have an easier onboarding method for some of our identity access management processes? How can we look at our application inventories and make sure we’re spending the right amount of time on the right amount of assets?” Sometimes an Excel sheet is a wonderful tool in my book.
Mark, I appreciate it. Thank you for coming to the show. As I have mentioned in previous episodes, we are looking to assemble the Avengers at some point and have a few panels sit down where we’ve got people in similar roles but across very disparate industries. Whether we talk about one topic or each one has a topic that they get to hit and then we figure out how to save the world from there, we will do that. Consider this your official invitation to come back.
We’ll look forward to that, Matt. I appreciate the invitation in advance.
That is it for this episode. Thank you for joining us on the show. As we have said, for information on all that’s good in the world of cybersecurity, make sure you check us out. You can find us on LinkedIn. We are not quite as prolific as Mark, but we’re working on that, so stick around, and even Facebook as well as the homestead at ElevateSecurity.com. The show is dropping multiple times a week. We have had a great series of guests, with more to come. We are only ramping up as we are heading towards cybersecurity month. Make sure that you stick around. All we ask is to subscribe, rate and review and you’ll never miss all the great folks like Mark who are continually coming on the show. Until then. We will see you next time.
Important Links
- ElevateSecurity.com
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- CSC
- LinkedIn – Mark Eggleston
- @PackMatt73 – Matt Stephenson
About Mark Eggleston
Mark Eggleston is the chief information security officer (CISO) for CSC, responsible for the global security and privacy program design, operations and continual maturation. As a senior executive specializing in security and privacy program development and management, Mark’s unique background and expertise in information technology, program, and people management have positioned him as a thought leader and frequent industry speaker.
Mark started his career as a program manager and psychotherapist at a hospital serving children and adolescents. Later, Mr. Eggleston helped develop an internal compliance approach—complete with policies and tools—ensuring a geographically dispersed health care provider organization (across 19 states) complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Mr. Eggleston then transitioned to applying his HIPAA expertise at an HMO where he has implemented many successful security controls and technologies, including single sign-on (SSO), Identity and Access Management (IAM), Cloud Access security broker (CASB), and a vulnerability assessment program.