awards cover MarvinMarin - Global CISO Forum Podcast - Awards Series: Marvin Marin

In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.

Listen

Download this Podcast

Transcript

Amber:
Welcome to a special series of the Global CISO Forum podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards finalists. For the next three weeks, we will be interviewing the best and brightest in Infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year.

Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.

Amber:
With us today is Mr. Marvin Marin. He is the program manager at NetCentrics, but more importantly he was nominated for CISO of the Year for the upcoming Infosec Tech & Exec awards hosted by EC-Council foundation. Welcome, Marvin.

Marvin:
Thank you for having me.

Amber:
Congratulations on your nomination.

Marvin:
I’m very excited.

Amber:
Are you going to make it to the gala next month?

Marvin:
I am. I’ve already reserved my seat and I believe I have a few people coming with me.

Amber:
Oh, a few people, awesome. That’s very exciting. I will see you there. We’ll get to meet in person, but until then let’s get to know a little bit more about you. Your nomination is interesting. you were nominated by Neil Goodreau and he was actually the CISO of the Year for our awards program last year, so that of course caught the committees eye right away. He gave you a stunning, glowing, glittering nomination for this award and it was just very impressive through and through.

He talks about your work with the Coast Guard, enhanced compliance scores. You’ve increased inspection results. You’ve developed a web and application security team from scratch is what it sounds like. You’ve developed tools to automate it and improve enterprise information security management and governance framework. The list goes on and on. You’re obviously very accomplished. Let’s talk a little bit about how you got started in information security.

Marvin:
Great. As a young high school kid, of course, just like anyone else, loved tinkering with computers. I enjoyed it. Loved programming, running my own bulletin board system, et cetera. I took that and said, you know what, I want to make a career out of this. Started fixing computers for a living. That translated into getting my first certification, which allowed me to become a network administrator.

From network admin, I then moved over into security. In security I’ve learned forensics, incident response, pen testing. Did a little bit of policy. Of course, certification and accreditation, and of course, technical audit. What I found was that, for my career, at every level I was learning something new or working on a certification to demonstrate I could do work at the next level. That kept pushing me and I kept on leaning forward to where I’m at presently.

Amber:
That brings us to the present then. Tell us a little bit about NetCentrics and what you do there.

Marvin:
NetCentrics is a great company. I love it. Right now, I am the program manager for Coast Guard [inaudible 00:03:25] command. I’m the technical program manager. I manage two technical tasks for certification/accreditation and compliance and reporting, as well as evaluation.

What that really means is our team, the team that I manage, is all about auditing the network, making technical evaluations, and then providing that information to the compliance team so they can figure out what’s really going on in our network, what’s happening, what is wrong, and what needs to be corrected. Figuring out solutions to make those corrections.

On the certification and accreditation side, being able to document, evaluate risk, document risk, and of course have the government accept risk for the operation of those systems on the network.

Amber:
It all comes down to risk in the end. Also, Neil highlights your work in information security awareness programs. What can you tell us about that?

Marvin:
One thing that I found through the span of my career is it’s all about networking and data sharing. Forming those friendships and those communities to be able to provide one another with information, specifically on lessons learned. What has worked for me? I can give you a great example of that. Within the Marine Corp, they stood up a very successful web application security program and that program was the model for how we started the Coast Guard program.

We were able to take those lessons learned, their documentation through that relationship, and build our program from scratch and be able to catapult ourselves further along than maybe even some of the other services that were probably better resourced than I. It was exciting. We were able to, again, start it from scratch, hire an individual that has been industry acknowledged by SANS and a couple other organizations, and really change the dynamic on how web security is performed within the Coast Guard.

Amber:
It sounds like you have great leadership skills and that’s something that Neil highlighted it as well. When did you become a leader?

Marvin:
I think it’s an ongoing process. I think it’s all about you put yourself into a position where you assume responsibility and you really assume accountability. You take that next step to say, “This is my team. I’m taking responsibility for them. This is the target I want to hit. Let’s go there.” Then, you trust that your team will follow you to that destination if you provide them with sufficient tools and guidance to get them there.

I love working with people. Security, one of the hidden dynamics of security is a lot of it is people management and understanding people and really understanding how they play into the security program. If you are able to motivate and empower your team and get them to really believe that what they’re doing is important, then the leadership stuff just really works itself out.

Amber:
Would you say the bigger challenge is the technical side or the leadership/people side?

Marvin:
That’s a very good question. I think that the technical piece, for the most part, solves itself. We can always figure out innovative and creative solutions or a vendor will come in and say, “Hey, I’ve got the solution that does X.” We can always figure out how to incorporate multiple vendors, multiple solutions to solve a problem.

I think the real problem in security is, the real problem to solve is the people dynamic. Figuring out how to get past reluctance or distrust. A lot of people think that security is all about saying no. From my perspective, it’s all about changing that mindset and getting security professionals to understand that you’re in business to find a solution, find a way to say yes. Operate within risk.

Amber:
Yeah, that’s really interesting. What’s the biggest challenge? Do you have a specific story you can tell us about the biggest challenge you’ve ever encountered? In your career, obviously.

Marvin:
I think the biggest challenge that I’ve seen in my security career has been the reluctance of and the reliance of security professionals to use checklists. They don’t want to go away from them. They use them almost like a crutch and what they do is when they use these checklists, they’ll go in, perform an audit or an inspection, and say, “I’ve evaluated that particular item and based on my checklist I have to fail you.”

When other particular compensating controls or other mechanisms may exist so that a more professional or holistic security professional would say, “You know what? You’ve met the intent or the spirit of that particular control. We think that you’ve mitigated it enough that we can go ahead and pass you and concentrate on the issues that are really important or potentially more damaging to your environment.” I see that as a major challenge within our industry and we need to change that mindset.

Amber:
It sounds like you’re talking about a very rigid mindset that doesn’t allow for variation in industry or situation. Is that the problem you see?

Marvin:
Absolutely. I think that it’s all about the black and white of that particular item, that checklist item, and not really applying your critical thinking skills to say this technology or other protection mechanisms are in place to solve or mitigate that particular risk. Again, it goes back to risk assessments and risk acceptance. If you’re pretty close and you’ve met the spirit of the control, then go ahead and pass them for that because they as an organization might have to concentrate somewhere else and you’ll get more juice out of that particular squeeze.

Amber:
I see. That makes sense. That is a trend we talk about a lot. Not a trend but a core part of the CISO job is to focus on risk and things really boil down to risk. How do you see the CISO role changing? It’s changed a lot from the inception, when it was a very technical role. Now it seems to be focused on risk. There’s a lot of talk about being part of the business. What do you think the next step for the role is?

Marvin:
I do believe that the CISO role is definitely going more towards the business side of the house and I agree with that approach. I think the understanding of risk, understanding how the risk impacts the business. Ultimately what we as security professionals should be concerned with is the operation of the business in a secure manner or a secure enough that the organization has accepted that risk.

We’re never getting to that 100% solution. Nor should we, because most of the time when you get there, you can’t operate the business and you can’t complete your mission. Finding that fine balance between acceptable and not acceptable risk and to do that it’s really application of your technical skills but really that fundamental knowledge and understanding of how business works, how logistics come into play, finance, business, human resources, et cetera. I think also that really helps you to understand your customer base because we as security professionals are providing a service to these customers that may not understand security but definitely need it.

Amber:
The two jobs that are listed on your nomination, it looks like the previous job you had or maybe this was a previous project, is the Marine Corp and you’re currently with the Coast Guard, which is under DHS. Of course, in your job with NetCentrics. Why the focus on the US government and military operations? What drew you to that?

Marvin:
I guess I’m really passionate about that feeling of contributing and providing protection to those that serve us. I like the idea that what I do in some small part protects the systems that people rely on. For example, in the Coast Guard, when you’ve got a cutter out there looking for someone, search and rescue operation, and looking for that life in distress, to know that they can rely on the systems that we’ve done security work for and we’ve done our due diligence in securing, that to me really strikes me as important. I think that there’s so many jobs where I could work at a bank. I could do this, I could do that. I think deep down, service to those that serve is for me as the most important thing in my life.

Amber:
I figured it would be something like that. That’s great. I really like that mindset. Does that make it easier to get excited about different initiatives that you want to take?

Marvin:
I think it does. I think at the end of the day it really motivates me to know that these people are doing something very important for our national interests, protecting our maritime interests, and that what I do plays just that little small part and they can rely on that technology to be secure, that our enemies are not able to intercept that information and then use it against us. They can feel that the information that they’ve got, the systems that they’re using are always going to be there so they can rely on them.

Amber:
That is very worthy. You’ve accomplished a lot. You’ve secured this nomination, hopefully the award. What are your next steps? What’s a skill you want to hone or a goal you want to achieve in the next 5-10 years?

Marvin:
That’s a great question. I have a passion for learning. I love reading. I love picking up books. I love getting that next certification. Right now, I’m working on the Certified Ethical Hacker. I’m also working on my Information Security Master’s degree. I’m really interested, kind of more of a long term, just like you said 5-10 years, I’m really interested in looking at a graduate certificate in business or an MBA. I feel that, as you mentioned earlier, it’s all about understanding both the technical side and the business side to accomplish your mission.

Amber:
That’s really interesting. That’s a question I ask a lot of our guests on the show. Would they think about getting their MBA, and I’d say about 25% of them have it and then another 25% are planning to get it. I see that as a trend too just based on my very small sample size here on the podcast. That would be right in line with what your peers are doing, so that’s excellent. Well, I’m happy to hear you’re going after the CEH. The EC-Council appreciates that. It’s interesting that you’ve done the CISO role and you’re going backwards to get a technical, or I guess it could be seen as going backwards to get a technical certification but is that just some skills that you need or something that you were interested in doing for a long time?

Marvin:
I currently do the work and in the defense community, obviously a CEH allows you within DOD-8570 and DOD-8140, allows you the ability to do certain pieces of work. As a CND-SP Manager, I manage those people. I truly believe that as a leader I should understand the requirements that my personnel are under and that I should share in that. I should seek that same qualification so they know that I understand what are the challenges that they face. I understand the work. I understand the technical complexity so that when I make my manager or leader-type decision, it’s based on that understanding and knowledge of the technical side coupled with the business and mission side.

Amber:
Well, that is very cool. I admire that a lot. You sound like you’re invested in learning. Well, I will finally get to meet you next month. Thank you so much for coming on the podcast and we’re pulling for you. Congrats on your nomination.

Marvin:
Thank you so much. I’m so excited.

Amber:
Have a great day.

Marvin:
You too.

Amber:
That’ll do it for this episode of the Global CISO Forum podcast. The show is produced by Saba Muhammad, edited by Shandiin Tome. You can help the show by subscribing on iTunes or Stitcher and if you would leave a review for us, that would help other people find the show. Until next time, this is Amber Pedroncelli.

Announcer:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.