Secret CSO: Mike Scott, Immuta

What's the best career advice you ever received? “Soft skills are almost as essential as technical skills, and the higher you rise in your career, the more vital they become.”

Headshot of Mike Scott, CISO at Immuta

Name: Mike Scott

Organisation: Immuta

Job title: Chief Information Security Officer

Date started current role: February 2020

Location: Columbus, Ohio

Mike Scott is the CISO of Immuta, whose mission is to make the future of data secure. He is known for his work building enterprise-ready security programs, security architecture, and data privacy and protection. Scott is passionate about always doing the right thing to protect our customers, employees, and investors. He is a highly experienced and accomplished leader in information and data security, real-time analysis of immediate threats, and IT and infrastructure designs. He has a proven track record in developing strategic plans to protect enterprise information assets, mitigate risks, control cyber incidents, and maintain compliance with multiple regimes, including PCI-DSS, HIPAA, and SOC2.

What was your first job? My first job in technology was at a small internet service provider in the early 1990s. I provided phone and in-person support to consumer and business customers.

How did you get involved in cybersecurity? My second technology job was at a start-up, Witness Systems (now Verint). When we decided to implement our first firewall, a Cisco PIX Classic, I volunteered to learn and manage the new technology. As we grew and cybersecurity requirements increased, I continued to lead those engagements and eventually was promoted to Information Security Manager.

What was your education? Do you hold any certifications? What are they? My career was built on a lot of hard work, self-study, and taking advantage of training opportunities provided by previous employers. I have held several certifications throughout my career including vendor-specific and vendor-agnostic certifications. My ISACA, ISC2, and SANS certifications were the most relevant in the security industry. I eventually earned an Associate’s Degree at Penn State in 2020; even today, higher education leaves much to be desired for those pursuing cybersecurity careers.

Explain your career path. Did you take any detours? If so, discuss. My career started in IT after my time in the U.S. Navy, and I continued to follow the technical IT/Security track for almost twenty (20) years. Several years ago, I took a slight detour from working as a practitioner and dabbled in supporting security-focused sales organisations in an advisory role. It was nice to take a break from the stress of being a CISO for a few years, but ultimately, I missed the connection built with co-workers and the company mission when working for a single organisation.

Was there anyone who has inspired or mentored you in your career? I have had the fortune of working with many incredible people throughout my career. The people that stand out the most to me are Kathy and Greg from my Witness/Verint days and Don from my time at Wendy's. Kathy and Greg were formative influences on my current leadership style. Don helped me grow from a Director to a VP; together, we learned and evolved as leaders. Don demonstrated exceptional leadership and treated me as a partner more than a direct report. It was a special time in my career.

What do you feel is the most important aspect of your job? As a security professional, my job is to protect and enable my organisation. Security is about managing risk ultimately; which requires a balanced and comprehensive understanding of the technology, security risks, and needs of the organisation.

What metrics or KPIs do you use to measure security effectiveness? Metrics and KPIs should tell a story and inspire action or awareness. I prefer to use a limited set of metrics outside of my department to maintain focus on the particular issue(s) that we are experiencing. Vulnerability management, endpoint security, security events and incidents, and compliance-related metrics have been the most common that I have found resonated with upper leadership throughout my career.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I believe everyone is affected by the security skills shortage, no matter what size the organisation is. Cloud security continues to be one of the most challenging skills to find. The only way to scale today is to build security into other technology roles, especially in IT and development teams.

Cybersecurity is constantly changing – how do you keep learning? Like most professionals, I subscribe to several newsletters and blogs and attend webinars throughout the year, which keep me up to date on security trends and risks. I also devote time to learning and understanding new technologies and concepts that apply both in and out of my current company. You cannot provide sound counsel on Kubernetes security if you do not seek to understand it at least at a high level, for example.

What conferences are on your must-attend list? I have found that SANS Institute training and summits and Evanta CISO Community events are two of my favourites. SANS provides the best technical training and summits I have experienced. Evanta brings CISOs together in a great format that enables valuable peer-to-peer relationship building and sharing. If you are new to security, RSA and Blackhat are great ways to build security knowledge and learn how to talk security.

What is the best current trend in cybersecurity? The worst? Moving to the cloud is surprisingly the best trend I have seen for security. Legacy physical servers, data centres, and traditional on-premises solutions require years of depreciation financially and create a continuous loop of technical debt. Cloud-native companies have agility and adaptability that cannot be realised by those with on-premises anchors holding them back. At my current organisation, I can replace my entire cloud security stack annually should I desire to do so.

Worst trend – Security leadership continues to be placed under the CIO in the organisation. Security is not just a technology problem; it is a business problem that requires executive buy-in and support to achieve success.  Additionally, security requirements can be necessarily restrictive to IT initiatives and create a conflict of interest in the CIO-CISO relationship.

What's the best career advice you ever received? Soft skills are almost as essential as technical skills, and the higher you rise in your career, the more vital they become.

What advice would you give to aspiring security leaders? Seek to understand the business, departments, and people that you serve and what they must accomplish to be successful. Security professionals must be able to balance business needs with security and compliance needs. You cannot do that if you don’t understand both sides and the downstream impact of your program. 

What has been your greatest career achievement? People. I have personally built security careers for several great former employees that transitioned from other parts of IT and the business. Identifying talent and encouraging the success of others is something I hold close and dear to me.

Looking back with 20:20 hindsight, what would you have done differently? This is a difficult question! Honestly, no, there is nothing that I would change. I have often thought that if I had a bachelor's degree way back that my career might have been easier, with more career choices. Today that is not a concern as our industry recognises there are multiple paths to building an excellent security career and that Higher education cannot keep up with the pace of learning required in our field.  I will take someone with a SANS certification and High School diploma over someone with just a degree almost any day.

What is your favourite quote? “If you give a monkey a hammer, someone will get hit. And chances are, it’s not the monkey.” ~ unknown – I love the visual, but ultimately it means that if you give someone access to something they don’t know how to use, someone may get hurt. In security, it is vital that everyone knows what is expected of them, policies and procedures, and that we provide only the access required, the least privilege, to help protect the company and the individual.

What are you reading now? Kubernetes security-related articles and Privacy journals mostly!

In my spare time, I like to… White water kayak, snowboard, travel, and spend time with my family.

Most people don't know that I… am the most interesting man in the world. I am an award-winning poultry judge, former Rave promoter, spelunker, kayaker, and more. I have experienced a lot in life.

Ask me to do anything but… be quiet 😊 I am a talker and always have been. Otherwise, I am pretty adventurous and open to new experiences.