Cybersecurity can help an organization do strategic development and a whole lot of other things. But the biggest thing it brings to the table is trust. If you work in cybersecurity, the people in the organization have to trust you and you need to have the credentials for that. There is no trust without credibility. Trust is key in the world of cybersecurity today, especially if you have to teach the employees about security awareness. Join Matthew Stephenson as he talks to the Senior Vice President and Chief Information Security Officer at BECU, Dr. Sean Murphy about delivering trust as a CISO. Dr. Sean Murphy is an accomplished cybersecurity executive with more than 20 years of experience. He has worked with fast-paced organizations in the military, healthcare, and financial services space. Listen in so you can learn more about the importance of being trustworthy and credible. Discover why you need to keep those curbs safe and painted yellow.
—
Listen to the podcast here
Cybersecurity Must Demonstrate How They Deliver Trust With Sean Murphy
In this episode, we are excited to welcome Dr. Sean Murphy to the show. Sean Murphy is the Senior VP and CISO at BECU. In previous lives, over a decade in cybersecurity, and many years in the United States Air Force in the Medical Service Corps serving in CTO and CISO roles among other things. Dr. Murphy, welcome to the show.
Thank you. I’m glad to be here, Matt. I look forward to the conversation. This is one of those topics, security, friendly fire, and all those things that are fun to talk about.
We’re trying to figure it out because as things continue to evolve and the world is on fire all over the place, metaphorically and physically, we need people that are doing what you do with the history that you have. We’ve had the good fortune to have some great guests on the show who, in the natural course of conversation, not planned questions, have all talked about culture. That’s something that you and I talked about when we were doing the pre-show, like prepping for it. As a CISO, can you manifest a security culture? Is that something that needs to evolve organically, naturally? How do you do that?
It’s impossible for it to grow organically and naturally. In fact, it is counter to most organizations’ culture to think about security. Maybe a word that can be thrown into this part of the conversation is compliance. Typically, the culture is a little more leaning or skewed towards innovation or getting things done, growth, and all kinds of things that are very progressive in a strategic nature. Traditionally, things like cyber security were seen as the long pole in the tent. It is a constant, exciting, and ongoing, purposeful journey to have people like the security professionals help to build and foster a culture and an organization that does build in security versus bolting it on at the end as an afterthought.
Security is an afterthought. We’re hoping to change that mindset when you get to the idea of culture not being able to be an organic thing. With your role, how do you do that? Is force the issue? Is that too harsh a way to describe it? Especially with what you’re doing, these are people’s lives. These are the finances that they count on to pay the mortgage, keep the power on, pay their employees, and feed their children. Can it be an afterthought?
Too often, it is an afterthought. After something happens, you’re in the headlines or you have a disruption in your business and you’re finding that a ransomware attack or something has crippled the organization. You come back to that Finding Jesus moment. Within the organization, that can certainly be a catalyst for a changing culture but we all don’t ever want to get there. We try to prevent that from happening. I almost go back to how you led into this with a long history of being in cyber security for myself. There are a lot of people that have that same long history.
However, there are not as many as there are now. Over the years, I’ve seen an evolution of more people getting into cyber security. That’s important from the aspect of it being a profession. A lot of us got into cyber security by being the person that didn’t take the two steps back when a security issue popped up and somebody needed to either lead or attack the issue. I happened to be in medical devices in the Air Force.
You can’t say, “I happen to be in medical devices in the Air Force.” Let’s talk about two of the most technologically advanced things in the world. “You just happened to be in them?”
In some manner of speaking, I did. I was fortunate enough to be selected to work in a program office that delivered some of the initial digital teleradiology to the Air Force. This is in 2002, 2003, and 2004. In the midst of that, as we were attaching these teleradiology systems to the warfighter’s network, security concerns were certainly present. There wasn’t a long history in Clinical Engineering or in Medicine in general, certainly not in the civilian sector to look at how to attach these commercial off-the-shelf, special purpose computing systems onto a warfighter network, a DoD network.
Getting into security in that way was pressed into service. I had to learn about how to do the security that was needed to not only secure the medical devices themselves as much as we possibly could because the Air Force doesn’t build packs and teleradiology systems. We can’t get in there and manufacture them differently than what the OEMs make them. On the other side, keep the medical devices themselves safe from the information and attacks that are going on against the warfighters network. It was bi-directional.
Going into that, there was a newly fallen snow. There wasn’t a strong path charter. There were only a few people at that time within the Department of Defense and Medicine that were cognizant of the security needs of these medical devices and working with the FDA on starting that conversation way back then to get to where we are now with more security built into those medical devices and more security awareness in the healthcare profession in general.
I say all that as a lead-in as that evolution has happened and more people have come to cybersecurity. Going back to your question about culture, it has become a profession. Purposeful, intentional people have sought formal education and formal certifications or on-the-job training to become truly either cybersecurity leaders or in my case, a Chief Information Security Officer that is truly a chief officer within the organization.
Cybersecurity should be the long pole in the tent. It shouldn’t be bolted in the end as an afterthought.
That’s super important, especially in terms of that culture and being able to help develop it and evolve it within any organization. What is the key? The key is having an ability to understand what the business and the strategy are and bringing my colleague’s professionalism to the table to be able to build in cybersecurity to help enable that strategy and that vision.
I’ll stop here by saying one last thing about healthcare for now. When I was in healthcare, I learned early that even the best security practices, when indiscriminately overlaid in healthcare could cause patient care problems, patient safety, and patient harm. As a security professional, you’re thinking these are the processes. These are the best practices across other industries. We need to bring them into healthcare. That’s not the way it necessarily works.
You have to understand healthcare and how to do healthcare information security in healthcare. It doesn’t mean that there isn’t security in healthcare. It certainly doesn’t mean that at all. It means you have to be able to tailor it to your mission, to the patient care mission that healthcare has. That’s true in finance, as well as financial services. We have a mission and we have to tailor our security aspects to what’s important to our strategy and our objectives so that cybersecurity is enabling those objectives and not stunting any of them.
During your time when you were in the Air Force, you served in CISO, CSO, and CTO roles then you have been in the private sector for many years. When it comes to addressing the notion of insider threats, either witting or unwitting people that you need to be looking out for, is there a difference when you are in a DoD for a huge broad-term sense compared to when you are now in the financial industry?
Maybe the approach is a little different. Within the private sector, we have broader concerns for human resource type concerns for watching behavior analysis and things like that. We have tools that we have available to us within the cybersecurity realm that we could use. There are specific use cases for doing that in the DoD that I might characterize a little bit differently in the terms of the expectation of any privacy or human resource concerns. That’s one aspect of it.
The way I approach this question is around the fact that the internal threat has always been the center of your cybersecurity strategy, a set of credentials that the adversary has where the external threat becomes the insider threat. It has always been difficult to catch. We’re seeing, even now with external threats, socially engineering internal employees to do ransomware for hire, and help them break into the organization without technically or technologically breaking into the organization.
I don’t know that the level of the risk has necessarily changed across whether it’s the Department of Defense or its civilian sector. The motivations might be a little different and the way we approach trying to detect and respond to those threats. It’s ever so slightly or ever so subtly different. The bottom line is that the internal threat is still such a large percentage of what the actual threats across the whole spectrum are and is very hard to catch.
You use the word enable and that’s something that I’m super curious about. The fact that you are in the financial industry, you’ve got to keep this place as safe as possible but you also need to make sure that everyone in the organization can not only do their jobs but that they can grow and thrive. How can the security team be a part of that motivation or inspiration to be a part of the forward progress and momentum of a company?
You have to be in an organization where it doesn’t view the cyber security team as the people that do cyber security or the only people that do cyber security to be more accurate. That’s the first thing that I reacted to in that question. If you get past that, then you have a chance to help. I use the phrase built-in cybersecurity, not bolted on. It goes for the human element as well. If you build in the idea that everybody in the organization has a responsibility around information protection or reputation protection for the organization or whatever component of cybersecurity you want to pick on.
Everybody in the organization has some part of their day-to-day job where they have a responsibility for some cybersecurity aspect. That security awareness comes from awareness and training initiatives that the cybersecurity team does take on. That’s one aspect and getting out the messaging and the training and that’s followed with the tools for people to do the right thing. When I got into cybersecurity in general, people were fond of saying, “The carbon-based life form is the weakest link.”
That is true. However, by changing the words a little bit and capturing the meaning of what you’re trying to say, people in the organization are our first line of defense. When I worked in healthcare, I added the first responders because people understand that within the industry that you’re in. It sets them up to be empowered to not only be responsible but to do the right thing and know how to do the right thing.
That’s part of the training and awareness. Getting the message out to the organization, to the employees that they have the responsibility to do the right thing, showing them how easy it is, and helping them do the right thing certainly helps the organization extend that cybersecurity awareness and changes the culture.
Internal threats are still such a large percentage of what the actual threats across the whole kind of spectrum are.
You mentioned the human elements. That is something I feel is shifting where previously, the attitude was that humans are the weakest link. We’ve had some great guests who are actively and aggressively debunking that. They’re leaning into the people and saying, “The people are the greatest thing. Embrace the chaos. Figure out how to make it work and channel that.” When it comes to the human element, where are the weaknesses that you as a CISO and your team and organization need to focus on in order to harness that energy?
The phrase, complacency kills, is where I start with that. People ask me, “What keeps you up at night?” What keeps me up at night, honestly, is the complacency in an organization. I liken it to painting the curb yellow. When people trip over a curb, you know how many people trip over the curb. You know your risk of lawsuits and damages from people getting hurt, tripping over that curb if you’re responsible for the curb. You could measure that.
Once you paint that curb yellow, people stop tripping over the curb and you get this sense that everything’s great and you go focus on other things. Sure enough, because you’re not measuring how things are going and you’re not maybe keeping an eye on that curb and things chip away, the curb becomes unpainted again then people start tripping again. That’s like a cybersecurity metaphor or analogy, whichever is true or appropriate to that story.
Once you come into an organization and you put a program in place and the maturity level of the organization from a cybersecurity perspective starts to increase, you can see that the organization starts to focus on other things. Part of my role is to keep the messaging going. Keep the intent and the strategic objective of cybersecurity still in the discussion of the other strategies of the organization. Make sure that it continues to be built in and continues to be a focus because we want to keep that curb yellow and not have people trip over it. I’m going to extend that story as long as I possibly can here.
I love that. That’s not one that I’ve heard before. If you’ve coined a term, hopefully, it will become a cliché because it makes sense. It’s a great way to explain what you need to do.
It’s accurate to make the point that complacency happens in an organization. There are so many things to worry about. There’s no question that people from all walks of life can come and talk about what their specialty in their profession is, whether they’re in finance, human resources, or they’re engineers doing development. Those things are super important and are the key to the success of every organization. I don’t minimize that at all.
I have an expression that I have used in the past, especially within project management or in the development cycle or release cycle, even as we get to dev ops within organizations. Meeting deadlines is not an excuse to make the headlines. With security, you don’t want to bypass, shortcut, or circumvent security requirements as they are in order to make a deadline because then you end up in the headlines with some breach. That’s not a good trade-off. Nobody ever says, “I’m glad we got this feature out but now we have all these unhappy customers that are voting with their feet and going with our competition.”
That was something else you said when we spoke before. If you rush to the deadline, you end up in the headline. It made me think of the sports cliché about the people whose names you never want to know are umpires and offensive linemen because that means you’ve screwed somehow. In your position and previous roles, do you ever want to be famous or is a CISO’s job to not be famous because he or she is doing their job in such a way that nobody knows that they’re there?
I grew up in this profession. I remember a time when people were reluctant to even put their titles out there. Putting a crosshair on your organization by holding yourself up as the greatest security team or these awards that come out for all these different things. Now, I’ll be the first one to say. I haven’t won any of them. Maybe you can accuse me of that. I’ll take it. I’m guilty as charged.
However, if you step back from it objectively, I don’t know if it serves anybody other than the people getting the awards to put ourselves out there as these award-winning types of security people. The same newsfeeds have some of the biggest organizations one after the other with issues. It’s not the CISO’s fault. Why do you put yourself out there as a target? It’s too easy. Maybe I’m missing the point. I’m also happy to say, guilty as charged on that one, too.
As you asked that question, that’s what I think about it. It’s like, “I don’t want to be famous. I want to be as obscure as possible.” I’ve done a real good job of doing that. I want to contribute to the profession. I do as much as I possibly can to be part of professional organizations, write a couple of books, and contribute to chapters. That focuses more on growing the next generation of professionals. I’d rather not be the first name that comes up in a Google search when you look for me.
It’s like being the world’s most famous undercover agent. It’s against the idea of what you’re trying to do.
The carbon-based lifeform is the weakest link.
We are attacked enough at every organization I’ve ever been to. I don’t want any notoriety to become a challenge for anybody. I don’t get it but God bless everybody that participates in those things. That’s great. I certainly am happy for everybody that gets those awards. Back in the day, we used to talk about that as putting crosshairs on your organization. I remember people not wanting to even put that on business cards. There’s a nugget of truth in all of that. Security through obscurity is still a thing.
Please, everyone who wants to flame any of this, come and see us @Hello_Elevate and we’ll have those conversations. Make sure you read this episode and rate and review us. A role that has emerged relatively new in the industry is the Chief Trust Officer. Whether organizations have them or not, if it’s part of the CISO, the CTO, or the CSO organization, we’ve talked about this and how important it is for your organization to demonstrate trust inside the organization. How do you do that?
I’ll start with this. The element of trust is what I help my team and the organization in general to understand that’s what cybersecurity brings to the table. We do enable the strategic objectives. We do enable the business to do the things that the business wants to do but at the end of the day, what we’re bringing to the table is that element of trust.
Our members trust us. In healthcare, our patients trust us. Our business trusts us to help them do the right thing and live up to their responsibilities from an information protection perspective. That element of trust is the value add that cybersecurity brings to the table through resiliency, availability, and the precepts that we ensure as much as possible are there built-in, not bolted on.
The other side of the same coin is credibility. I mentioned a little bit about being focused on education, learning, and development for the next generation of cyber because it is getting more professional. I made a little bit of a tongue-in-cheek remark but many of us got into this from other walks of life. There are lots of History majors and Music Education majors that are chief information security officers.
I like that you slipped music in there real quick.
It’s not like there was a college degree years ago for much of this. Thankfully, now there is. It’s not necessarily that you need a degree to do these things but it speaks to the professionalism and the concentration and the research that’s done in this area and it’s making us better. As people move into that security professional type of focus, credibility is the word that I would use to say as the other side of that same coin. We deliver trust but we have to be credible to do that.
If we’re speaking on requirements, speaking on the right way to do things, consulting, or even stepping in to say no. Sometimes it’s appropriate for security people to say, “We can’t go further with this. We have to find a different way, an alternative to letting this code set go out that has the vulnerabilities in. They’re not false positives.”
Those conversations on a daily basis happen. We’re talking with the board of directors and the executive management team. If I’m not credible and instill confidence, then that trust is not going to follow the value add of cybersecurity to our members and our customers so that they know that they can trust us. I do use those two words. The value-add of cybersecurity is trust and credibility is the way to get that trust. That comes through learning, growth, and being present, engaged in the organization, and flexible to new ideas. There’s been a lot of growth in the area.
I mentioned dev ops. Dev Sec Ops is a real thing that we have to embrace and get better at. It goes back to what I was talking about at the beginning, where we’re pushing out that awareness and training into the organization to build it into areas where people have previously seen cybersecurity as the gatekeeper.
I’m developing my application and my system. I’m an engineer. I come to cybersecurity, get a checkoff, pen tests, or scanning. Those days are gone. If you’re in an organization that wants to move fast and grow forward, you have to push those tools, techniques, and capabilities out to the development community in this case specifically. Security becomes more of a consultant in the second line of defense for those things. That’s a growth opportunity for cybersecurity professionals to understand how to be good at that and be successful.
The last question before we start winding up, you are on the inside of an organization. You have to build a strategy and a culture where you’re relying on your team and the employees inside BECU but you also need to rely on the tools provided by third parties. Where do you see the biggest weakness in our industry when it comes to our approach to cybersecurity? The tools that we are making, the ideas that we are formulating, even the psychology of how we think about attacks and protection, you need to use our stuff. What are we missing or are we missing anything?
Cybersecurity brings the element of trust to the table of any organization.
There are probably three things that come to mind relatively quickly. One is the third-party supply chain risk, whether it’s the organization in general or the products that they make. From a security vendor perspective, well on the record coming to light very brightly, the SolarWinds episode that we haven’t resolved that question. It was like, who’s checking the checker’s thing? There’s a lot of security products we buy that we and the royal, all of us, we buy, we rely on. What’s the real certainty that those products are going to? The attackers are attacking those products to attack us now. There’s that.
The other part of it is that third-party risk in general. Our organizations rely a lot on outside managed services and products so it’s understanding that because we’ve talked a little bit about the internal threat. Third parties working in the organization are also in that category of being an internal threat in a lot of cases. I can’t remember what the third one was.
Final question, let’s move over to Leadership Corner. I hope that you’re not just sewing all the time. When you’re not doing that, what’s on your playlist? Are you reading anything? Are you cooking? Do you garden? Do you do a quest during events?
There are two books that I’m working on now. One is Accelerate by Forsgren. The name on here that drew my attention to it is Gene Kim. I’ve been reading a lot about The Unicorn Project. I haven’t just read that but that’s where it comes from. Brené Brown’s Dare to Lead is one that I’m reading now. I do not want to get the reputation of somebody that does that recreationally. That’s not what I do for fun.
You don’t CISO for fun?
No, and I don’t necessarily read these books for fun either. I’m just trying to keep the saw sharpened but I like to travel. I’m a cigar aficionado. It’s another insane and controversial thing for me to say but I lived in Tampa years ago.
Shout out to Hoyo de Monterrey down there in Ybor City.
It’s a part of citizenship. You can’t be a citizen of Tampa without being in Ybor and enjoying the cigar culture. I don’t drink wine but I understand that the culture of wine is much like the culture of cigars. It’s not as fashionable in some circles.
Shameless plugs. People that are looking for you and want to know more about what’s going on at BECU, social media, websites, talks, papers, or anything like that? How can we help people find you and all the good stuff that’s going on?
I don’t have much on by way of advertisement. I am on LinkedIn. You will find me very easily. BECU.org is our corporate website. If you are in the State of Washington, if you live, work, or worship relative to the State of Washington, please come join us as a member. We’d love to have you. We’re doing great things. We are people before profits. It’s one of our phrases.
As far as the shameless plug goes, I will say this. Getting into financial services for me coming out of healthcare for so many years and military service. It was a natural transition, probably different than if it would have been some other financial services organization that I went to because BECU talks about being a member first and it’s a real thing. It’s truly our focus.
We talk about financial health and are interested in making sure the communities that we serve are healthy financially. Again, it’s a real thing. I feel it on a daily basis that we’re true about that perspective. That’s helpful to me because I do have a passion for cybersecurity in general but it does have to be complemented with a passion for the organization. That’s true about BECU. We practice what we preach. That’s uncommon in this day and age, as far as I know.
We talked about trust. Having someone you could trust, especially when we’re talking about the things that, as we said, feed the children, keep the lights on, power your business, and all of that stuff, you’ve got to have somebody that knows what they’re doing. The good news is Sean Patrick Murphy, there’s only one of them in the world. I’m sorry, that’s 11% of all Irish men. You may have to do a little deeper Google dive to make sure that you can find it.
It’s the most common name in Ireland as far as that goes but it’s a little uncommon in America.
Pretty sure in Chicago and Boston, we could probably find 1 or 2 of you floating around.
The good news for me generally is that there’s a pretty good major league baseball player, a catcher for the Oakland As. He does a lot of things, so his name comes up a lot faster than mine does.
Is he keeping your money safe? Probably not but he’s got a good arm.
He will be keeping his money safe.
Sean, thank you so much. Consider this your official invitation to come back around. We do this every week and we’ve got some great guests. We are looking to put some panels together to have longer conversations. Come on back.
I appreciate it. Thank you very much.
Let’s do it again. For everybody else, you know what you need to find. Thanks for joining us on the show. For more information on all that’s good in the world of cybersecurity and preventing insider threats, make sure that you check us out on LinkedIn and Facebook, as well as ElevateSecurity.com. You can find me @PackMatt73 across all the socials. All we ask is that you subscribe, rate and review. Give us 5 stars because if you give us 4, are you a hater? Why not? If you’re going to give us 4, you might as well give us 5. Until then.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- BECU
- LinkedIn – Sean Murphy
- Accelerate
- The Unicorn Project
- Dare to Lead
- @PackMatt73 – Instagram
About Dr. Sean Murphy
Dr. Sean Murphy is an accomplished cybersecurity executive with more than 20 years’ experience leading information security and risk management in highly regulated industries and fast-paced organizations in the military, healthcare, and financial services space. In his current role as SVP, CISO at BECU, he is responsible for providing and optimizing an enterprise-wide security program and architecture that minimizes risk, enables business imperatives, and further strengthens the company’s security posture.
Sean retired from the U.S. Air Force (Medical Service Corps) after achieving the rank of Lieutenant Colonel. Sean has served as CIO and CISO in the military and for private sector organizations. Sean has a Ph.D. in Information Security from Northcentral University, an MBA (advanced IT concentration) from the University of South Florida, a master’s degree in Health Services Administration from Central Michigan University, and a bachelor’s degree in human resource management from the University of Maryland. He serves (past and present) on industry security boards, is a noted author at a national level, and the author of numerous industry whitepapers, articles, and educational materials, including his most recent book, “HCISPP All in One Exam Prep,” published in 2019 by McGraw-Hill.