Secret CSO: Myke Lyons, Collibra

What do you feel is the most important aspect of your job? “I think being well integrated into the whole business is a really important aspect because it’s one of the hardest things to do.”

IDGConnect_secretcso_suppliedart_mykelyonscollibra_1200x800
Collibra

Name: Myke Lyons

Organisation: Collibra

Job title: CISO

Date started current role: April 2019

Location: New York

Myke Lyons is the Chief Information Security Officer at Collibra, a leader in data intelligence. He is responsible for owning and championing the company’s security governance and advocating for both customers and Collibra’s technology. Lyons brings over 20 years of experience in information security, most recently as Head of Security Strategy at ServiceNow, an enterprise IT cloud company. Previously, he served in various senior security analyst and security architecture roles at Grey Group and WPP Group.

What was your first job? I’m actually a chef by trade! My first job was in the kitchen as a short order cook; making pizzas, frying chicken, and making breakfast sandwiches – all that stuff. A “typical” start.

How did you get involved in cybersecurity? I got into cybersecurity by accident – I originally went to school for culinary arts, and while I was studying, I needed a summer job. A friend of mine ran an IT outsourcing company and needed someone to move printers. Once there, I was assigned to work for a marketing company who just won Xerox as a client. They had HP printers throughout their office, and despite the fact they worked perfectly well, we had to throw out the HP printers and replace them with new Xerox printers.

My job was to help pick up these big, heavy, Xerox printers and move them somewhere else. One day, the IT manager asked me if I could install a printer driver – to which I replied, ‘What the heck is a printer driver?’ and she sent me a website that sent me down a rabbit hole on a hacker forum. That’s how I got into cybersecurity – I taught myself how to use a computer by reading about cybersecurity on those types of websites.

My first cybersecurity-specific role was building work operations centres. This was back in the day where security operations centres were only available in very sophisticated businesses. In less sophisticated businesses, there was usually just one point of contact for security, so when we started to buy security technologies that weren’t just firewalls, I put my hand up. I volunteered to do all of the security tooling and monitoring to find out how we could use IT technology for security uses to help protect our network.

That change didn’t happen over a very long period of time, honestly – it happened over a summer. By the end of that summer, I was the lead technology person, so I took to computers pretty easily. You could say I found my calling!

What was your education? Do you hold any certifications? What are they? I went to a culinary school called the CIA, so I like to poke fun at the similarity between the well-known CIA (Central Intelligence Agency), and the other CIA (Culinary Institute of America) that does cooking. In terms of certifications, I’ve had a CISSP for about 10 years or so, and that has been the primary certification that I’ve maintained.

I’ve taken a number of other courses but haven’t had the need for certifications in my career as I like to stay with certain organisations for longer periods of time. I left my last firm after almost eight years, and before that, I was with another firm for about 12 years.

Explain your career path. Did you take any detours? If so, discuss. My career started in IT support, and then moved to the networking aspect of IT. I had done a little bit of project management at one point, although we really only used the title of ‘project management’ as an umbrella term for all security-related projects.

Afterwards I moved into a new role as a remote incident responder. While I was working in that position, I built an entire team and practice, as well as some technologies that actually became a product that is now widely sold. In that way, I sort of functioned as a Product Manager and a Head of Strategy for a business unit that created cybersecurity software. During that period, I also spent a lot of time speaking with some really influential CISOs about the way they were remediating all their operational issues.

I did that for about three years, and then I took a small hiatus where I went into a sales-based function. I intended to work in sales for a set period of time so I could understand that side and the pressures that sales folks were under. Afterwards, I decided to move back and go whole-hog into the security side as the CISO of Collibra.

Was there anyone who has inspired or mentored you in your career? There are so many people who have influenced me – one of them is Justin Dolly, the COO at SecureAuth. He was my CISO at one point and really inspired me, so I hold him in very high regard. Josh Lemos, the Head of Threat Research at Cylance, is another person I've stayed connected to over the years and really respect.

If I’m in a corner, those are the two people I would go to and ask how they would handle the problem at hand – then again, I hate to highlight only two people, when in reality I spent two hours on the phone the other day with a different person I also hold in high regard!

Maybe what I would say here is that my way of receiving mentorship happens organically and at the level that is appropriate – sometimes I’ll go to an executive for guidance, sometimes I’ll go to a specific domain expert, and sometimes I’ll go to a more boots-on-the-ground expert. These different perspectives are all extremely important to get the job done and I like to go to the folks who are the current specialists in their roles to see how trends are moving, as there is often a lot of flux in the security space as it matures.

What do you feel is the most important aspect of your job? I think being well integrated into the whole business is a really important aspect because it’s one of the hardest things to do. For instance, I benefit by working for the CEO at Collibra, so I’m part of the team that is directly reporting into the CEO. There’s not a single person in his direct meeting that I don’t interact with daily. Because my actions can negatively or positively impact the business, I have to talk to them and make sure I’m aware of every single moving part of the business, so that I make the right decisions.

It's also important for me to act as a sounding board for the team. For example, my General Counsel likes to say she is the attorney for Collibra, but she is also all of our attorneys. She gives legal advice to us because it’s for the benefit of the company – I like to offer the same thing from a security perspective, for example, ‘Hey, what did you just do on your phone, let me help you with that. Let me be your security person.’ I help make sure we have those security hygiene aspects in place.

What metrics or KPIs do you use to measure security effectiveness? Vulnerabilities, remediation, and asset management are key components – so much so that it was the product I built at my previous company. Vulnerabilities are critical and a way of life in security – you start off by coding as bugs, then you have to fix and remediate those bugs. It’s a really good measure as to whether or not you’re effective, and to do that, you need to ask yourself, ‘Do I know what my assets are? Do I feel like I know about how many assets I have?’

I hate to tie emotion back to this, but quite frankly, when it comes to assets and vulnerabilities, most of the time you know where your weaknesses lie. You know where the majority of your blind spots are, and you’re not comfortable with it – it keeps you up at night.

Some people could potentially argue that if you constantly patched everything whenever it happened, you could drive the business into the ground. But with any organisation that’s effectively patching at that level, there are also testing procedures, plans, and other measures in place to counter any business failures.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I hear AppSec is probably the hardest place to hire, but frankly, I think the right AppSec people are hard to hire. You can hire a lot of middle-of-the-road AppSec folks, but it’s a matter of finding the right ones – and that applies across the board to all other security roles.

I think finding people who are in the stage where they’re just out of their first security job are the hardest ones to attract; the folks who are super eager, really looking to grow their career, and want to gain a combination of new skills. People like that are challenging to find because there aren’t many of them.

Luckily, I know where to look when it comes to operational security people because I’ve been in the industry for a while, but I do know a lot of people who struggle with finding that eagerness and interest. There’s also lack of mentoring and guidance for new security people – candidates will say, ‘I want to be a pen tester, or a threat hunter,’ or whatever the job title du jour is, and will chase after the latest trend without realising they can gain those same skills in their current role.

Cybersecurity is constantly changing – how do you keep learning? 

Apart from reading the papers, I like to follow some key thought leaders and influencers in the security space on Twitter, to help me stay updated on the latest news and trends. For example, I like to follow Anton Chuvakin, who has just moved over to Google’s new security company, as well as some really well-known researchers, like Dino Dai Zovi and Mikko from F-Secure. I also read researchers’ periodicals and blog posts, as long as it focuses on a specific problem, not just the product side.

What conferences are on your must-attend list? I like to attend BlackHat and still find it valuable. Unfortunately, I’m not going this year, I simply don’t have enough time to attend – it will actually be the first time in 7 years that I’m not going!

RSA is also another really good networking conference. There’s also a great Gartner Security & Risk Conference in Washington DC that I like.

What is the best current trend in cybersecurity? The worst? In terms of the best trends, I like to focus on assets and understanding the things you have to protect. I also like the focus around data, such as data governance and data classification; which obviously play back into privacy aspects. I’m also interested in the ethics behind data, and how data should be used.

The worst trend is the automation of absolutely everything – full scale automation. Don’t get me wrong, I’m a big advocate for automation, and it’s a technology I spend a lot of time developing. However, buying some EasyBake Oven or set-it-and-forget it type of technology is what is being touted by some senior security people, who say ‘I’m just going to automate everything’ – but really, what does that mean? 

What's the best career advice you ever received? Be hungry and humble.

What advice would you give to aspiring security leaders? When you find a problem somewhere, tell a story about what you found, how bad it is, and what you’re going to do to remediate it. If you’re walking in a hallway and see something knocked over on the floor, don’t stand there and call five of your friends over to talk about how it could have been knocked over, where it got knocked over, and how it’s going to hurt somebody because it got knocked over. Just pick the damn thing up! You can tell everybody about it later, but it’s your problem right now – you found the problem, now fix it.

What has been your greatest career achievement? I got a patent awarded to me in January, which I was pretty excited about – it was a bucket list item for me. It was a patent in post-incident review and automation around it. In this case, it’s a really good thing to automate!

Looking back with 20:20 hindsight, what would you have done differently? I probably would not have stayed as long as I did at each firm and gone through so many role changes within those firms. Maybe sticking to just four or five year stints, rather than eight to twelve year stints. That said, it’s tough to make that change when you’re working for a company that’s in its hypergrowth phase, and is still growing at pace. For example, when I joined my previous firm 7 years earlier, they had 300 people, and when I left they had over 7,500 people.

People shouldn’t worry too much about changing jobs – that’s the way we are now. I think that’s also the way that security is – it helps you gain a new perspective and it will help hone your skills faster.

1 2 Page 1
Page 1 of 2