Secret CSO: Mark Houpt, DataBank

Secret CSO: Mark Houpt, DataBank

Name: Mark Houpt

Organisation: DataBank

Job title: Chief Information Security Officer

Date started current role: January 2015

Location: Dallas, TX

As Chief Information Security Officer of DataBank, Mark Houpt brings over 25 years of extensive information security and information technology experience in a wide range of industries and institutions. Houpt joined DataBank in September of 2017 with the acquisition of Edge Hosting (CISO since 2015). In his leadership position, Houpt's responsibilities include strategic planning, oversight of security and compliance, as well as providing subject matter expertise for developing and maintaining a comprehensive, integrated information security and compliance program. He is an active member of ISC2, ASIS International, CompTIA, IAPP, ISACA, among other leading national and international security organisations.

What was your first job?  Cryptologist with the U.S. Navy.

How did you get involved in cybersecurity? Cryptologist with the U.S. Navy.

What was your education? Do you hold any certifications? What are they?

  • Master's in Information Security and Assurance, the Certified Information System Security Professional (CISSP) Certified Cloud Security Professional (CCSP).
  • Certified Ethical Hacker (CEHv9).
  • Computer Hacking Forensic Investigator (CHFI), Security +, Network + and A+.
  • FedRAMP, HIPAA and PCI-DSS compliance requirements expert.
  • DoD IAT Level III, IAM Level III, IASAE Level II, CND Analyst, CND Infrastructure Support, CND Incident Responder, and CND Auditor positions.

Explain your career path. Did you take any detours? If so, discuss. My career path started out similarly to many IT professionals back in the late 80's and 90's. I fooled around with computers and taught myself. Even in the military, although there was a basic school, most practical work was self-paced, self-taught work based on military publications. Although I have gone on to earn a bachelors and master's degree in cyber-security, the self-teaching methodology is still my favorite and most effective method of learning.

My career started with part-time work in high school cabling up our small computer lab and managing the Apple IIC and IIe devices, I progressed to the military service in cryptology, then a help desk, desktop support and a network manager before going back into cyber-security full-time.

In cyber-security, I have been a network security manager, security engineer, security architect, forensic investigator and much more. I love my job as a CISO today and would not change it.

Was there anyone who has inspired or mentored you in your career? Yes, there were a number of people along my career path that have impacted my career, too many to really mention. Probably the person that had the most impact is Roy Mellinger. He taught me how to be a CISO. Some of the biggest lessons was learning how to get people to respect the office of CISO, deal with auditors and working with executive counterparts in an organisation. Even more specifically, how to get what you want by being tough but also give a little to get a little.

What do you feel is the most important aspect of your job? There are different aspects of the role of CISO. Probably the most important in one direction is how to grow and lead the Security and Compliance team. I tell my team that I am not successful if they are not successful, so I ask them what I can do to make them successful. On the flip side, dealing with customers, whether they are internal or external customers, is communicating the complexity of security in a common-sense way. One of the biggest challenges of security and compliance is answering the "why" question. If people understand why, they join you in the how. If they join you in the how you then have many hands make complex, tough work, light.

What metrics or KPIs do you use to measure security effectiveness? Every company is different. My KPIs are not typically what you would find for a CISO. We are a customer-facing, private equity company so anything related to a customer is a KPI - the number of IPS or firewall attack blocks, the number of exceptions (or lack thereof) on an audit report, how quickly we get the audit done, the number of customer request tickets (opened by customers) that are closed in a specified SLA, even the number of interactions I as CISO have that impact sales for the organisation. Financials (EBITDA) is important to us, so another KPI is getting the biggest bang for our services dollar.  

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? No, the skills shortage is not impacting my organisation for three reasons. One, I always keep a backlog of resumes, people I have talked to. Basically, I always have a backup plan. Two, I operate in diverse areas, including some more rural "Tier 2" markets where the gap is less, especially when you offer an opportunity to work in a nationwide company. Third, I treat people with respect. My greatest assets are the people that work for me. I treat them like that, I tell them that, I work with them and give them a work/life balance. I have had one person terminated from my team in a 5-year period and he chose to change careers altogether and get out of IT for a higher calling. Is our team perfect? No; but people stay because they know that they are treated right overall.

Cybersecurity is constantly changing - how do you keep learning? I have been trained from an early age to be a life long learner. I am always looking for new things to read up on, tinker in, or try out. I won't lie though. Things are changing so fast and the workload so heavy that keeping up on things is hard. For me to keep up on things I carve out time. I do a lot of travel. I will plan my trips knowing how much time I have in the airports, on the planes themselves etc. I will download documents, podcasts and videos on my tablet to review while sitting on the plane or in the waiting area. I work through things in hotel rooms and across breakfast tables. It is simply a matter of prioritisation and planning.

What conferences are on your must-attend list? None - unless I am speaking, I dislike them. You will never find me at DefCon or BlackHat. Too many people I know have become targets going to those conferences. RSA has become political, as in real politics. Last time I was there almost every keynote was a political personality, from one particular party, that knew little about or had no involvement in cybersecurity.

Don't let your staff fool you. Many people go to these conferences for a bit of a vacation. They are usually in nice locations and people sleep in in the morning and party at night, calling it "networking." To be honest, when I go to conferences I have learned to avoid the keynotes. The real info is in the break out sessions and depends on the quality of the speaker.

What is the best current trend in cybersecurity? The worst? The best trend in cybersecurity right now is the overall awareness. Cybersecurity discussions are in every aspect of our society, whether it be about a data breach, privacy or international conflict. Cybersecurity is centre stage right now.

The worst trend is the same as the best trend—since everyone is talking about it, there is plenty of disinformation. But if I were to switch away from awareness, probably the worst topic going on right now are the discussions on privacy. GDPR, the Facebook/Cambridge Analytica matter, California and other privacy legislation is having an impact. There are a lot of different camps and it really is becoming a bit of a fight.

What's the best career advice you ever received? There have been so many gems that people have imparted on me that it is hard to come up with one. But I have to say there is one that gave me a new perspective and it has nothing to do with security. I was a young Seaman in the Navy stationed in Washington DC. I was really nervous about dealing with Admirals, Generals and other high-ranking individuals. Someone pulled me aside one day after seeing my apprehension around these types of people and said hey, how did that Admiral put his pants on this morning? I looked at her with the strangest look I am sure and said what? She repeated the question. My answer is predictable - I don't know. She said I bet he put his pants and uniform on the same way you did, one leg at a time. It showed me that despite the disparity in our rank, power and authority, we had something in common and that the person under that uniform is just another person. It taught me to see people for who they really are, not the uniform or mask that they wear. I have used that over and over in my career. When someone has been agitated with me I sit down and look for the commonality we have and then use that to get things done. I also learned from that to look for the root cause of their agitation and put that fire out with the commonality.

What advice would you give to aspiring security leaders? Be yourself. There are plenty of plastic people out there. You will have more success being yourself, being humble and getting the job done.

Be confident. A lot of leadership is confidence. Sure, we all get frustrated and discouraged at times. Some of my lowest times have been during attacks when it feels like we are being crushed by the bad guys. But remaining confident is more important than being positive as a leader (to me). People will follow someone that is confident through thick and then. There are times when just being positive is out of place. Being confident is more realistic. I tell people all the time, I am going to win. Sometimes I don't know how I am going to win. But I am going to win. Now lets get down in the mud and figure this out knowing we will win.

What has been your greatest career achievement? A couple of years ago our company lost an important contract that resulted in the loss of an important compliance certification. In order to get it back we had to fight tooth and nail. We had to rebuild our environment, find a new customer, rewrite 3000 pages of documentation and then go through an assessment and approval process where the deck was stacked against us. As I said before, I will win. Sometimes I don't know exactly how. But I will win. It took one year. We won.

Looking back with 20:20 hindsight, what would you have done differently? Nothing. Every situation and challenge are what has shaped who I am today. I am a successful CISO because of the successes, challenges, and even failures of my entire career.

To be realistic, many times I have said man, I wish I would have stayed in the Navy for the full 20 years. That was the way I grew up and I loved that work. But that is not where I was supposed to be. I am and have been where I am supposed to be. Had I stayed in I would not have met my wife, had my kids, had the roles and responsibilities I have had. I would not have had the success and the failures or met the people that have shaped me along the way.

What is your favourite quote?I have one that is attributable to Ben Franklin and has some security implications is this "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." Too many people are willing to give up flexibility for security. Security can be implemented and addressed in many ways. It should generally be invisible and non-intrusive except for when the security function will deter major crime. We seem to react to situations by piling on more security these days. That is not always what is needed. The second is one I cannot attribute to a name. I heard it said and I don't know where. But I love it - people mistake privacy for security. I think this described GDPR and other current privacy legislation on the table. There is a thought process that if they allow control of privacy it is a form of security. There is another thought process that if I can control my privacy, I am secure. Neither are true.

What are you reading now? Chasing the Demon by Dan Hampton. It is the history and story of the people in aviation that took risks to obtain the (then) ultimate goal of breaking the sound barrier. Back in the 1940's through 1960's our aviation pioneers would risk their lives for the goal. They had the mind set that they would win. They may lose some people along the way. They may not know how to get there. But they were going to get there. It is stories of perseverance like this that help me deal with challenging events in the office. I figure if these guys could literally blast into the unknown and risk their life, I can battle the hackers. George Washington's Secret Six by Brian Kilmeade. Again, history has a security twist. It is really neat to read how "they" spied and maintained security and cryptography 250 years ago and compare to the same tactics we use in Cyber Security. There really isn't much difference at the root. Social Engineering - the Science of Human Hacking by Christopher Hadnagy. Just started this one. But I love social engineering and the tactics used to hack the systems.

In my spare time, I like to… Do nothing related to cyber security. That is how I relax my mind for the next run. I love northwest Montana - in the Flathead valley and Glacier National Park. There is, to my knowledge, no more beautiful, exciting and mysterious place on earth. I look at those mountains and wonder what is behind them. The winter, though a put off to most, is the best time to be there. The snow just makes the mountain ruggedness stand out. I wonder when the last time a person was actually back there among them (and truthfully, it could have been a long time for some of them). The area is also like one big zoo - multiple types of bears including the grizzly, mountain goats, elk, deer of all types, big horn sheep, the list can go on. I was up there the other day and saw a bear chasing a deer down a mountain. When the bear lost the deer, he stood up on his hind legs to find it. Where else are you going to see that? The other thing I do is build plastic model aircraft kits for myself, pilots and museums. I have a number of them in museums across the Midwest and even in Boeing's production plant in Long Beach, CA. It is just a nice, relaxing hobby.

Most people don't know that I… I have a life outside of being a CISO. It is probably about my spare time hobby building plastic models. I don't tell a lot of people about that (but then here I tell everyone).

Ask me to do anything but… Compromise my ethical values. I can't work in situations where it is ok to lie, cheat and steal. Everyone does it a bit, usually by omission. But if it is part of your DNA and you do those items by Commission, I am done and out. You are on your own.



« InfluxData puts a time stamp on the data deluge


CTO Sessions: James Mason, MUSO »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?