Secret CSO: Mike Wilkes, SecurityScorecard

What metrics or KPIs do you use to measure security effectiveness? "When I worked at Marvel, I joked that it was my job to keep Iron Man safe... we had multi-factor authentication on our social media accounts for him and for all of the other heroes, gods and mutants."


Name: Mike Wilkes

Organisation: SecurityScorecard

Job title: CISO

Date started current role: August 2020

Location: New York, NY, USA

Mike Wilkes is a technology evangelist and Chief Information Security Officer that has built, transformed and protected companies such as ASCAP, Marvel, AQR Capital, CME Group, Sony, Macy's as well as European banks and airlines. A graduate of Stanford University, he is a featured speaker at technology conferences and is a professor at NYU teaching cybersecurity courses. An avid jazz fan and musician, he is also on the board of trustees for the National Jazz Museum in Harlem.

What was your first job? Short order cook at A&W Root Beer Restaurant - predicting how many hamburgers to put on the grill as a station wagon full of Little League baseball players drove up.

How did you get involved in cybersecurity? I’ve always had to pay attention to infosec, but it has not been my focus until the last several years. Developing Starbucks’ first web site in 1998 while working at Organic during the dot com boom provided one of my first real and fun cybersecurity memories. Microsoft donated the hardware for the site so that they could claim bragging rights that it ran on Windows and their IIS webserver. But I knew that it would fall over after doing load testing based on estimated measures of concurrency. It was essentially a “brochure website” with no real e-commerce capabilities. My own night’s rest would be sacrificed if the site went down. I decided to put a Sun Solaris server running Apache in front of it as a reverse proxy. I didn’t want anyone to notice this, so I recompiled the httpd daemon to identify as an IIS server in the headers.

This was, in modern terms, my first use of deception for security purposes. Infosec is founded on three pillars: availability, integrity and confidentiality. NIST now has guidance for security programs to incorporate deception in their proactive areas of design but I did it out of self-preservation. Looking back I think it was one of my first real steps towards being a hands-on, technically-minded CISO. My early experiences remain part of my philosophy of cybersecurity: it needs to be everyone’s responsibility even though only some people have the word “security” in their job title.

What was your education? Do you hold any certifications? What are they? Public schools in Pittsburgh, PA, then a suburb of Milwaukee, WI. Undergraduate degree at UW-Madison and master’s degree from Stanford in the philosophy of education. I have an ITIL certification from 2013.

Explain your career path. Did you take any detours? If so, discuss. Yes, I certainly took a detour. My first real job was with a US Department of Education think tank. I managed K-12 educational technology programs for several western states, disseminating information about model technology programs, distance learning programs and educational technology grants. But after about a year there I realised that there was little that I could do to affect real change in education. There were more computers in the dumpsters of Palo Alto than in the classrooms at the time. So I gave up my indentured servitude at the think tank and my hobby of computers became my career. I started working at a very prescient company called Internet Profiles, auditing the web traffic of the major properties of the time like Yahoo!, Geocities, Netscape, Microsoft and hundreds of other ad-supported sites. From there I used my knowledge of web analytics to land a job at the web design firm Organic.

I survived five rounds of layoffs when the bubble crashed and then one day, I decided to quit Organic and move to Europe for a year or two. I ended up living and working there for eleven years! I returned to the US in 2013 and joined the CME Group. After that I ran the infrastructure team at AQR Capital and helped build and improve the technology stack for their $184 billion hedge fund. Following that I ran the devops, enterprise architecture and infosec teams at Marvel, built a security program from scratch for ASCAP, and now lead security for SecurityScorecard. It’s been an incredible journey, working in so many different industries and sectors from travel to energy to financial services, entertainment and now with a security vendor. But through all of it, I’ve always paid attention to security, infrastructure and the teams who have literally built the internet.

Was there anyone who has inspired or mentored you in your career?  I’ve been truly fortunate to learn from everyone I’ve worked with over the years. No one particular person has been my mentor, but I can honestly say that everyone has something to teach. We just need to make sure we are able to hear it and incorporate the experience and abilities of others in our own path of self-awareness and self-improvement. Now I’m more concerned about passing on my own experience and insights to others. This is why I began teaching last year at NYU. The ability to help influence the next generation of infosec professionals is really exciting, especially when I get to talk philosophy with them as part of my coursework and assignments. Being a good technologist or security leader is not just about tools and scripts and technology. It’s also about applying ethics, psychology and logic.

What do you feel is the most important aspect of your job? I’ve heard some clever answers to this kind of question that I like to relay to anyone reading this profile. We should not be in the business of deploying security features, we should be in the business of deploying features securely. Infosec should not be perceived as a hurdle on the way from development to production; it must be embedded in the entire SDLC from design and requirements to implementation. As  managers we execute a plan, as leaders we manage scarcity, and as executives we manage ambiguity. I believe it’s my job to ensure that I help create more future security engineers and leaders.

What metrics or KPIs do you use to measure security effectiveness? It somewhat depends on the industry or business because the assets that must be protected vary. When I worked at Marvel, I joked that it was my job to keep Iron Man safe. He is intellectual property and a role model for many. So effective security in that case is making sure that we had multi-factor authentication on our social media accounts for him and for all of the other heroes, gods and mutants. We couldn’t let a breach lead to those accounts tweeting out something unsavory or off-brand. At ASCAP is was about protecting the livelihood of 800,000 members and their royalty payments. Maintaining the trust in the organisation to protect the community from fraud was just one of many quantifiable metrics to track.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Fortunately, no. We are always looking for top talent to join our company – and while I find that the overall skills shortage is problematic – SecurityScorecard has been successful in sourcing, attracting and retaining talented professionals to help us further our platform and deliver on the mission to help make the world a safer place. I’m a tough hiring manager, however. Only about 3 percent of my phone screens make it to the second round. And that’s usually a 20-minute phone call to make the determination.

Cybersecurity is constantly changing – how do you keep learning? I use RSS feeds, Slack channels with former colleagues and Twitter to keep abreast of trends and news. Experience teaches us to see patterns that recur. Pendulum swings might change with the latest fashion for scripting languages, but what the scripts and tools are meant to do is often constant. When we succeed as technologists, the technology recedes into the background. Like fish talking about the water… the fish don’t talk about the water. If we’ve done our jobs, everyone can think about the business, product features and the data… not have to worry about remembering dozens of passwords or disks filling up or memory leaks and application crashes.

What conferences are on your must-attend list? Honestly, none. I think many of the large conferences are becoming a real waste of time and money. The so-called “b-sides” have much richer content and community and discussion than those with countless vendors sprawling across convention room floors. Especially now with the pandemic limiting the ability to assemble in person, I’ve been very much focused on smaller and more intimate settings and discussions of five or six people.

What is the best current trend in cybersecurity? The worst? Quantum storage technology because it can be used to potentially build perfectly secret voting machines. The stored qubit of information with your vote is altered if observed. For the worst, quantum cryptography because it will destroy all of our current algorithms and ciphers in its wake (but we must advance and find new encryption techniques that are resistant to the threats that quantum computers will bring in the next few years).

What's the best career advice you ever received? Stay curious. Always be reading and learning and experimenting with new things.

What advice would you give to aspiring security leaders? Decide whether you are the transformational leader or the “keep the lights on” leader and play to your strengths. Then hire really smart people and get out of their way.

What has been your greatest career achievement? It’s still ahead of me I would like to think. For past achievements, I would say writing the book about internet applications for Cisco Press back in 2002 was pretty darn impressive. The focused and concerted effort required was substantial and challenging. Near the end of the 784 pages I tortured myself by listening to Enya’s “May It Be” from the Lord of the Rings soundtrack on repeat until I finished writing it.

Looking back with 20:20 hindsight, what would you have done differently? I might have asked Starbucks to pay me in stock options!

What is your favourite quote? Heraclitus, an ancient Greek philosopher and historian once said: “You can never step into the same river twice.” This for me typifies the world of infosec as a constantly changing river of risk. And we ourselves also change from day to day, week to week as we step up to that river and decide how to navigate its currents and rapids.

What are you reading now? Reaching Beyond: Improvisations on Jazz, Buddhism, and a Joyful Life by Herbie Hancock, Daisaku Ikeda, and Wayne Shorter.

In my spare time, I like to… play jazz (I’ve played drums and percussion since 3rd grade).

Most people don't know that I… was in the Guinness Book of World Records because I participated in the World’s Largest Orchestra one very cold winter morning in Wisconsin as we played John Philip Sousa’s “Stars and Stripes Forever” in the parking lot of a shopping mall.

Ask me to do anything but… Jump out a perfectly good airplane. Never felt the desire to skydive.