Secret CSO: Michael Zachman, Zebra Technologies

What do you feel is the most important aspect of your job? “Communication.”

Zebra Technologies

Name: Michael (Mike) Zachman

Organisation: Zebra Technologies

Job title: Chief Security Officer

Date started current role: June 2018

Location: Chicago, Illinois USA

Mike Zachman is the Chief Security Officer (CSO) at Zebra Technologies, where he has global responsibility for its enterprise-wide product security, information security, corporate security and business continuity programs.  Zachman is an experienced global leader with more than 30 years of information security, risk management and information technology expertise. Previously, Zachman was Chief information Security Officer (CISO) at Caterpillar, Ecolab, and Forsythe Technologies. He spent five years living in Europe while working for Caterpillar. 

What was your first job?   My first job in high school was IT support for a local real estate appraiser.  I did everything from data entry to PC installations.  My first job after college was as an IT Analyst for Caterpillar where I supported networking between factory systems, engineering workstations, and the mainframe data centre.

How did you get involved in cybersecurity? At Caterpillar, I was asked to lead the IT Audit team within Internal Audit.  Sarbanes-Oxley (SOX) was coming, and Internal Audit was leading the development of SOX controls. I led the development and deployment of Caterpillar’s IT General Controls where I discovered my “love” for managing risks and controls.  After that, I ran Caterpillar’s Enterprise Risk Management function and eventually became Caterpillar’s first Chief Information Security Officer.

What was your education? Do you hold any certifications? What are they?  I have a BS in Management Information Systems from Millikin University, and a Master’s in Business Administration from Bradley University.  I hold the following certifications: Certified Internal Auditor (CIA), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise Information Technology (CGEIT).

Explain your career path. Did you take any detours? If so, discuss.  The first half of my career was devoted purely to IT. I started with technical roles in IT infrastructure as well as application support and development before moving into IT leadership roles for infrastructure and applications.  I finally had broad IT leadership roles for all aspects of IT across a geographic region. Halfway through my career, I took a turn into risk management.  As previously mentioned, I worked for many years in IT Audit and Enterprise Risk Management before moving back into IT as a Chief Information Security Officer. I eventually moved into my current position of Chief Security Officer, responsible not only for cyber security, but also product security, corporate (physical) security and business continuity.

Was there anyone who has inspired or mentored you in your career? Yes, I’ve been fortunate to have several inspirational leaders and mentors in my career.  A key mentor was Jean-Bernard (JB).  JB was my manager during my five-year tenure in Belgium and Switzerland for Caterpillar.  JB introduced me to the book “Who Moved My Cheese” by Dr. Spencer Johnson, which is a fantastic read that taught me a great deal about the impact change has on an individual’s work and personal life.  He also taught me to embrace and champion change; not resist it.  

What do you feel is the most important aspect of your job? Communication. One of my key responsibilities is ensuring our business leaders understand the risks they face and the options for mitigation. At the same time, I also have to ensure our technical teams understand our company objectives, priorities, and constraints.  I need to be able to effectively bridge the very wide “understanding gap” between these groups.

What metrics or KPIs do you use to measure security effectiveness?  Security metrics remain a combination of art and science, subjective and objective.  Some of the metrics I have consistently used include: Cyber Security Capability Maturity based on the NIST CSF; incident response metrics (time to detect, time to contain, time to recover); security awareness (phishing susceptibility, training compliance); program management (projects on-time, on-budget, on-scope); threat and vulnerability management metrics (patching timeliness, vulnerability risk scores, standards compliance).

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes. Key skills that have been difficult to recruit for include security operations, security architecture, and threat and vulnerability management.

Cybersecurity is constantly changing – how do you keep learning?  Curiosity and vigilance are key. I stay very active with my professional networks. These networks are both formal, such as ISACA and Gartner, as well as informal through email lists and community get-togethers. Regardless of the method, I have found ongoing discussions with other cybersecurity leaders to be an effective method to stay current. Combine this with daily new aggregators, appropriate conferences, webinars, and other continuing education options, and it’s easy. 😊 

What conferences are on your must-attend list? None. At this point in my career, I find it most effective to “hop” conferences from year to year. One year I may choose RSA and another year could be DefCon or Gartner. I also always try to support local conferences such as B-Sides and ThotCon here in Chicago.

What is the best current trend in cybersecurity? The worst? The best trend I see is the move to “zero trust” security models because network perimeters are no longer clearly defined. Applications and data are often in both on-premise data centres and in the cloud. Users are typically accessing company resources from many different devices and locations. The worst trend I see is the struggle for visibility. Where is our data? Who has access to it? What devices are on the network? It is extremely difficult to protect something you don’t know exists.

What's the best career advice you ever received? An early manager and mentor repeatedly told me, “Focus on excelling in your current role, not worrying about your next one.” Clearly, we all must take personal ownership of our own career, but his point was that too many people get the priority reversed. Excel in the present to pave the way for your future.

What advice would you give to aspiring security leaders? The skills that make you an excellent security engineer will not make you an excellent security leader. Security leaders rarely fail due to technical skills. They typically fail due to lacking communication skills, business acumen, or leadership skills. The best security leaders have a strong technical base, but they must focus on being a business leader to be successful.

What has been your greatest career achievement? I have to say it is being Zebra’s first CSO and building out our current security organisation, which is responsible for cyber security, product security, corporate security, and business continuity.  I am extremely proud of what we have accomplished the past two years.

Looking back with 20:20 hindsight, what would you have done differently?  I would have spent more effort on change management. Dr. Spencer Johnson’s book taught me that change is hard and impacts different people in different ways. I often spent too much energy on the technical elements of a solution and not enough on the change management elements that were needed for success.  

What is your favourite quote? Winston Churchill said, “If you find a job you love, you'll never work again.”

What are you reading now? RED - My Uncensored Life in Rock by Sammy Hagar

In my spare time, I like to… Help my kids do home repairs and yard projects.

Most people don't know that I… was a dance DJ in high school.

Ask me to do anything but… dance. It’s not a pretty sight!