Secret CSO: Bryan Willett, Lexmark International

What do you feel is the most important aspect of your job? “It’s communication. The end user is our first line of defence.”

Headshot of Bryan Willett, CISO at Lexmark International
Lexmark International

Name: Bryan Willett

Organisation: Lexmark International

Job title: Chief Information Security Officer

Date started current role: August 2016

Location: Lexington, Kentucky

Bryan Willett is the Chief Information Security Officer (CISO) at Lexmark. Under his tenure, Lexmark has made significant investments in security infrastructure, monitoring and operations across all business areas including IT, supply chain, shared services and R&D. These investments are focused on reducing Lexmark’s overall security risks and complying with regulatory requirements. Willett holds a bachelor’s degree in electrical engineering from the University of Louisville.

What was your first job? I worked for my father when I was 13-years-old in an office supply store, and it was the best thing ever for me. Naturally, I am an introvert so having to deal with people on a day-to-day basis helped me develop extrovert traits that I never had up until that point. Bringing myself to become an extrovert has served me well throughout the rest of my life. 

Now, my first job in the real world was far away from security. It was for McDonnell Douglas, as an engineer working on the radar avionics of F-15 and F-18 fighter jets. Those were my “Top Gun” years, so to speak.

How did you get involved in cybersecurity? This is just one of those strange happenstance things of my career. I was deep in firmware development when a senior technical leader came to me concerned that the firmware in the printers had been hacked, and he wanted me to investigate. That was my first foray into the wonderful world of cybersecurity. Flash forward three years, I was assigned to take over managing the firmware security of the R&D group. That broadened me into many different aspects of security – technical, governance and customer experience. From there, it just continued to blossom.

What was your education? Do you hold any certifications? What are they? I hold a bachelor’s degree in electrical engineering from the University of Louisville. I also hold a CISSP (Certified Information Systems Security Practitioner) through ISC2. In this job, there is the degree you get, and there is the one you get from on-the-job learning. In my case, how I operate today is because of the people around me who were all super smart. They were all unique and tested me in many ways. I probably learned as much in my roles and projects at Lexmark then I did studying engineering, if not more.

Explain your career path. Did you take any detours? If so, discuss. You can say the whole first three quarters of my career was a big detour. It was all in engineering. Today, I am responsible for security policy, governance, architecture and operations at Lexmark. That is not what I did before taking this role. But when you look at what the role required at the time, we needed someone who understood R&D, had a strong security background and could bridge regulatory requirements of the U.S. government and customers. That’s where my background really helped.

Was there anyone who has inspired or mentored you in your career? I have had many mentors throughout my career. This may sound a little cheesy, but I consider my parents to be the #1 mentor because of the sense of work ethic they instilled in me. They established my foundation for speaking with people and speaking in front of crowds.  Throughout my career, I can rattle off dozens of mentors from direct management to peers that I learned life lessons from. To this day, I use their advice in how I deal with the new challenges of this job. They are all fundamental tools in my toolbox.

What do you feel is the most important aspect of your job? It’s communication. The end user is our first line of defence. If they don’t understand why we are doing what we are doing, then it will fail. There’s also communication with management to understand the investments we are making in security, what the risks are to Lexmark, if there is a risk in their own business area that needs to be addressed, or something they are willing to accept. Another aspect is communications with my peers. IT is a separate organisation, but we need to communicate regularly and be tied together. This is the same for my employees. I need to ensure that they understand the strategy and priorities to execute on.

What metrics or KPIs do you use to measure security effectiveness? If we don’t have good cyber-hygiene, we will not have an effective program. That covers a lot of ground. There are identities and what access do those identities have. Where do I have admins, and what percentage of admins might have exceptions attached to their IDs? What is the patching effectiveness of my workstations or servers? What percentage are compliant with our hardening policy? What percentage of systems are we monitoring with endpoint protection and which are we not? And what is the rate of incidents we are seeing on each one of those. Those are just a few examples of the KPIs l look at, and they all speak to that larger idea of cyber-hygiene I mentioned before.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Lexmark, along with pretty much any business today, is being impacted by the current skills shortage. In a security organisation, you need varying levels of skillsets, from new college graduates to experienced industry experts. As an example, security architecture roles that have broad enterprise level of experience have been proving difficult to fill. On the flip slide, the low-level security analyst roles are hard to retain because there are so many other opportunities out there for them to move up quickly.

We have had plenty of success getting career Lexmark employees, who are ready for different challenge in their career, to move over into the security organisation and learn a new career to keep them around longer. That’s been a success for us in diversifying the group. We are not just hiring career security people. We obtain fresh perspectives from our R&D group, services group, finance group and audit group. They learn new skills and capabilities and their experience help us on the security front. If we are going to put a new policy in place, I can get got a good diverse set of individuals who will understand what that might mean to their full business areas and how it may impact them.

I’ve got a story of challenges with shortages. Yet, I have wins with the number of people we’ve been able to grow externally.

Cybersecurity is constantly changing – how do you keep learning? I have an RSS feed of cybersecurity of news sources that I read constantly. On top of that, I try to attend various conferences, whether they are local or a big conference like RSA, allowing me to hone my skills. Lastly, it’s about networking, talking with others in the field and sharing the challenges we’re having and learning from each other.

What conferences are on your must-attend list? RSA is probably my big one. I try to attend regional chapters like a local CISO executive summit. The regional ones are very helpful because they give you a network of local peers. They are the folks I text or call frequently to see if they are seeing the same thing I am seeing – kind of like a backyard buddy.

What is the best current trend in cybersecurity? The worst? Zero trust is both the best and worse. It’s an excellent trend and philosophy – something everyone should strive for. But it’s the worst because it’s so broad and ambitious that it can be unrealistic to ever achieve. Zero trust is trying to hit on everything – segmenting your network, identities, monitoring, access, etc. Holistically, it’s hitting on all the main control areas that help prevent an incident from spreading in your environment – all very good principals. The challenge, though, is that implementing zero trust in an organisation requires an unlimited budget with unlimited resources to make it happen. Or you recognise it’s not realistic and need to scale it back to something that is a good fit for your organisation, risk tolerance and budget.

What's the best career advice you ever received? Be very clear on your career goals. If it’s something you want to do and achieve, make sure it’s known – particularly to your manager.

Everyone reading this will have some role or ambition they are trying to get to next. If you sit around waiting for something to come around to you, it won’t happen. You need to be clear on what you are looking to accomplish in the role you’re in and what you are looking to next. Otherwise you’ll be sitting in your current jobs indefinitely, or some variant of it.

When creating a development plan for yourself, write out that job description. Write out what you want that job to be and from that job description you can start to build out the career experiences you need, where you have knowledge gaps that need to be filled in, and at the same time making management know this is what I want to be so they can help you get there.

What advice would you give to aspiring security leaders? They need a diverse background. Don’t go into security solely for security. You get into security only after having other business experiences. Everyone in my group brings a business level of understanding into security that helps us align to the business as we strive to drive risk down. If the individual doesn’t understand how the business operates, they can become very black and white and that causes problems with your relationship to the business and users. If you lose those two, you’ve failed at your job.

What has been your greatest career achievement? My teams. I am proud and amazed by the teams we’ve built and what we’ve accomplished. I want to specifically highlight the individuals who have come to my organisation. If it was not for them and their commitment to learn, we would not have been able to build out the security program we have today at Lexmark – and not just in Lexington, where Lexmark is headquartered, but a worldwide team of security professionals both old and new. Their dedication to making us succeed is the proudest moment in my career.

Looking back with 20:20 hindsight, what would you have done differently? I was in R&D for long time. With 20:20 hindsight, I would have told myself to move around to more business areas. Don’t get stuck in one area for the purposes of building diversity in your own experiences. I think that’s important.

What is your favourite quote? "Building a better mousetrap merely results in smarter mice.” This quote, from Charles Darwin, really hits on the idea that as we continue to enhance our defences, the bad actors continue to evolve as well. The key point is that the security organisation must continually evolve our practices and methods to stay ahead of the bad actors.

What are you reading now? I recently read the Accidently Superpower. I enjoy geopolitical topics like how the U.S. became a superpower, what it would look like from a visionary perspective in the future and the challenges ahead. Politics can become policy, and that directly impacts my job. I am currently reading The Long Game. I’m fairly short into it now. It’s interesting from a career standpoint, about taking a step back and thinking about what you are hoping to accomplish with your career and how to prioritise the many things pulling in your life to accomplish your goals.

In my spare time, I like to… I like to do woodwork. I remodelled my whole basement and built cabinets, a bar and a world class closest for my wife. It’s definitely a labour of love – not something I would make money off of. It’s a stress-reliever. My second love is cooking. It all comes from my engineering background. I like to build and create things. Both woodwork and cooking give me something I can stand back from and admire.

Most people don't know that I… make a mean sourdough bread. Like a lot of other folks, I picked up baking during the pandemic.

Ask me to do anything but… Fix your computer. Fixing a computer is what I already do in my day job.