Secret CSO: Marc Lueck, Zscaler

Name: Marc Lueck

Organisation: Zscaler

Job title: EMEA CISO

Date started current role: April 2019

Location: London, UK

Marc Lueck is a senior security practitioner with over 20 years of experience crossing multiple industry sectors, from financial services to publishing. With a strong technical background, he has spent the past ten years leading security improvement programmes for the likes of Pearson, T-Systems and Symantec. Lueck is also an advisory board member of ClubCISO, a security leadership peer group.

What was your first job? My first job was making pizza at 15. Like most kids my age in the US, food tended to be everyone's first job!

Did you always want to work in IT? No, from High School on, I was on a path to be an educator, training to become an English teacher, and that's where I thought my life was going to end up. And yet, from when I was very young, I was interested in IT. I ran a multiline BBS as a hobby and was learning to programme in BASIC on the Apple II's at school. I installed memory chips one by one in my TRS-80 Model III.  I was that geeky kid.

Sadly, I didn't recognise IT as a worthy career pursuit soon enough, and therefore, I chose the education route. It wasn't until I'd become disillusioned with being a high school English teacher and I fell back on my "hobby", and never looked back.

What was your education? Do you hold any certifications? What are they? I have had almost no formal education in IT. I was an English major in an American university. I learned some programming like everybody did in high school. I remember studying Pascal and I did BASIC myself, and I've since held product-specific certifications over my career, but I have never put any real stock in certifications. I have completely built my career on my experience and my ability to communicate that experience.

Explain your career path. Did you take any detours? If so, discuss. When I left university, I was working for my dad's tiny three-person company trying to sell a "new" technology: fax printers. Fax machines were still popular at the time. You might print out an invoice on a dot matrix printer and then feed it to a fax machine and send it to someone. We were selling a device that would combine the two so you could just print it straight to a fax number. It was a great system but obviously wasn't relevant for too long!

After that I very swiftly became a telephone tech support person at an Apple Macintosh peripheral manufacturer company where I am from in Minneapolis St. Paul, helping customers with support for their Macs. That's when IT really started to become my career.

My transition into security came after I moved to the UK in 1994. In 1995 I was trained in Unix while I was working at The Guardian newspaper. When management started talking about setting up a permanent connection to the Internet, a new proposition that looked like it might be quite important. I said to my boss's boss: "I don't think that's sensible - there are these things called firewalls we need". He told me to "go figure it out and buy one".

That was the beginning of my career in security. I ran a competitive analysis and a proof of concept and ended up buying Firewall-1, version 2, when it ran on a Sun Solaris pizza box.

What business or technology initiatives will be most significant in driving IT investments in organisations in the coming year? Building centralised applications that an IT team provides access to, by endpoints managed by the same team is no longer a technology that is in vogue or even useful these days. The tech we are using now is an extension of our lives. It's no longer a tool to be used in a certain prescribed way. What's really going to drive investments and budgets is the evolution in our utilisation and our relationship with IT. That means homeworking, more cloud provisioning of service and applications. The idea of actually building your own compute resource is going to become even rarer.

What are the CEO's top priorities for you in the coming year? How do you plan to support the business with IT? As a security technology company, the security of our platform, and the security of our organisation is even more important because our reputation and our sales rely on trust. My role is to continue to establish, build and maintain trust between ourselves and the industry and ourselves and our customers. That is my overriding and overarching responsibility and what our CEO expects.

Does the conventional CISO role include responsibilities it should not hold? Should the role have additional responsibilities it does not currently include? In the past the CISO used to own security operations. I think in a sensible modern world, the CISO should be focused on governance of data and the IT used to process, access and store it. The CISO should not own the operation of it, not the clean-up of it, not the protection of it. The CISO should set the rules and have IT implement the rules, rather than setting and implementing the rules. The CISO should be much more involved with that data and the risk elements of the business.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? I'm helping lead hundreds of digital transformations for our customers from an advice and governance perspective. Our own business was fully transformed from the ground up. Zscaler's strapline is "born in the cloud" - it's not just that our platform was born in the cloud, but we as a company were also born in the cloud. We don't have a single datacentre, and we don't have a single bit of physical IT infrastructure sitting somewhere for our internal use. Everything we do is cloud-based because we're a new modern company, and that means our digital transformation is continuous.

When you think of a ‘traditional' digital transformation it's more about embarking on a journey where you are transforming from one architecture to another architecture. When that previous architecture never existed, like at Zscaler, then the question needs to be rehashed into what's more important to you, your customer experience or operational efficiency? For me, the clear answer is customer experience. Operational efficiency is not even a concern because everything you're doing when trying to change old architecture is to help the business to perform efficiently. In my opinion, customer experience or employee experience wins.

Describe the maturity of your digital business. For example, do you have KPIs to quantify the value of security? There have been teams of people and independent think tanks set up to answer the question of which security metrics demonstrate value. I've been part of some of them. Security is a risk mitigation function and a cost avoidance function. How do you measure success with that?

In my opinion, we have to do it based on old fashioned risk analysis. If we didn't have security, these bad things would happen. Those bad things have this much impact, that impact can quantify into a dollar figure, while spend on our side is this much and therefore, we have this level of efficiency. But again, that's not really value, it's risk mitigation.

What does good culture fit look like in your organisation? How do you cultivate it? Someone who is technically savvy, totally aware of what a threat is, and what it is that our business is built to achieve. We also value people who know how be agile and aren't fixated on old-fashioned ways of doing things.

What roles or skills are you finding (or anticipate to be) the most difficult to fill? We set our standards high and are almost on the lookout for unicorns when we're hiring. We look for people who have a very strong technical background, the ability to understand the technology that underpins our offering, but also to understand the mega shifts of the industry to comprehend philosophically how far we've come from 10 years ago, when the cloud was in its infancy. We also need people who can communicate that, who are highly engaging, personable, and communicative. The combination of the two skillsets in one person can be difficult.

What's the best career advice you ever received? My boss at Pearson said: learn to delegate and learn to let go. You can't do everything, and you have to enable your team and enable your colleagues to do your job.

Do you have a succession plan? If so, discuss the importance of and challenges with training up high-performing staff. In our CISO team, in order to be able to duplicate or replicate our functionality we need a way of being able to upskill people in quick fashion. Hiring a CISO internally is just very difficult to do because you're looking for people who are practitioners who've come out of the industry who have done this work before.

What advice would you give to aspiring IT leaders? Build, maintain and focus on your people skills. Align yourself to the business and don't get tunnel vision for IT.

What has been your greatest career achievement? When I was at Pearson, I was responsible for building a threat management capability where none existed before, and to establish something which was quite new at the time, which was a threat intelligence function. I wasn't told what it had to look like, I was just able to go and build it. I was very, very proud of myself and my team building an internal and external threat monitoring function that has since been replicated in tooling that you can buy commercially. It was able to validate and had metrics to qualify and quantify the threat intelligence from external and internal sources, so I was able to really start to apply a sensible level of risk that we could go and report upwards to the business. It was consolidated and had a single reporting mechanism. I was and still am very proud of it.

Looking back with 20:20 hindsight, what would you have done differently? I've had a pretty good run of luck over the years. I spent 11 years from 1997 - 2008 as a contractor though, seduced by the paycheque. Looking back on it, I learned a lot, but I would have cut that in half and started my career path at the age of 35 instead of 42. That was my biggest mistake.