In this episode, Kip and Jason are joined by Steve McMichael who has rapidly climbed the cybersecurity career ladder. Within 2 years, Steve was able to move up to the position of Director of Governance, Risk, and Compliance for a large, publicly traded company after transitioning from a position in accounting and financing.
They talk about governance, risk, and compliance (GRC) and how those are applied within enterprise-level organizations. Steve also talks about how GRC is conducted at his organization and how they work across numerous departments to achieve their goals.
In general, getting into a governance, risk, and compliance position can get you exposure across a large breadth of your organization. Compliance positions also give you direct access to a lot of the executives within the company, allowing you to rapidly scale upward in your career.
Also, Kip discusses what skills are required of a good Chief Information Officer (CIO) and how working in a governance, risk, and compliance role can help you get to a CIO role in your career.
Kip Boyle:
Hi everyone, welcome, this is Your Cyber Path. My name is Kip Boyle and I’m here with my co-host Jason Dion. Hey, Jason.
Jason Dion:
Hey Kip, how are you doing today?
Kip Boyle:
I’m doing great. Just came back from a two week family vacation in Orlando, which was really cool for a number of reasons, not the least of which is that’s your new hangout. And we got to get together, have some dinner with our families, your Chief Operations Officer, Susan. It was a fantastic time. We got to go to all the main attractions down there. It was blazing hot. I can’t lie. It was super duper hot, but we had a wonderful, wonderful time. And your office, since you’re relocating to Orlando, you’re building out an office, right? How’s that going?
Jason Dion:
Yeah. So the office is… The studio’s all built out, the desks actually arrive today. So one of our folks at the studio right now collecting all the desks for all the offices. So we should be done by the end of this week with getting it all built out. And then early next year we’ll be moving in there full time.
Kip Boyle:
Wow. And then you’ve got a couple of new instructors coming on board and just sounds like… Oh, and then you got some more people on your support team. You’re growing, aren’t you?
Jason Dion:
Yeah, we’ve worked to about 23, 24 people right now. We got three instructors on staff right now. We’re finishing up Linux Plus, we just finished up Data Plus, and both of those were co-instructor courses and now we’re working on A Plus. So we’re just continuing to build out the entire cybersecurity pipeline through CompTIA. So it’s been busy.
Kip Boyle:
And speaking of CompTIA, that’s where you’re at today, recording. You’re in Chicago attending a CompTIA conference, right?
Jason Dion:
So for those who are watching us on YouTube, you could see behind me, I’m actually in a hotel room. I’m not my normal studio. And yeah, I’m actually attending the CompTIA partner summit that starts tomorrow, and let’s see, Wednesday and Thursday. And I’m actually speaking on Wednesday about the future of ed tech and where we are and how this migration through COVID has happened and what that looks like for a lot of the different tech companies out here that are training their employees and what they can do. Especially as we move into 2022, 2023, and how that’s all going to change. Because I see some more big changes on the horizon, especially as people are trying to cut costs and increase the ability to train the workforce.
Kip Boyle:
Oh man, that’s really cool. It just feels like you’ve got your finger on the pulse of what’s happening in ed tech. So yeah, well, anyway, I’m looking forward to hearing, after you get done there, the major takeaways. You and I are going to be making our new RMF course, which is going to go on to Udemy maybe around November? October?
Jason Dion:
It should be around October-ish is when we should be releasing that. And for those who are listening, RMF is the Risk Management Framework. It’s the sister course to the NISC cybersecurity framework. So if you work in the DOD and DOD contracting, you’re probably heavily using RMF, or wanting to get in that world. It’s definitely something you should look into. It’s one of those things that we’ve been requested a lot for. So that’s what you and I are working on now.
Kip Boyle:
Yeah, exactly. And we could make it a D&D episode. I could bring my dice, and roll for initiative who knows right? I might be able to-
Jason Dion:
You don’t venture there.
Kip Boyle:
I’ll get more screen time if I can just get those high numbers. Well, listen, glad to catch up with you. Today, we’re going to talk about somebody who I’ve known for a couple of years now and who I think his story is so inspiring. His name is Steve McMichael. And I just want to introduce him to our audience because if you want to feel inspired by somebody who said, “I’m mid career, I want to transition to cyber and by golly, I’m going to figure it out one way or the other.” Then you need to keep listening to Steve and learn his story because he has really done something marvelous for himself. He’s done such good work. And I just feel like folks in our audience should know about his story.
So I met Steve in the spring of 2020. He was working in accounting for Blackberry, a publicly traded large company based in Ontario. And he wanted to get into cybersecurity. And that was just when I had started to offer Your Cyber Path, the course that Jason and I teach now. I had just started offering it, and Steve, God bless him, he opted in and he’s like, “I’ll go ahead and give this thing a try”, because I told everybody, I said, “this is my beta course. I don’t know what I’m doing, but if you want to come along this crazy little journey with me, I’d love to have you”.
So that was the spring of 2020, well, by October, so about six months later, we were in a podcast together because guess what? He had crossed over into cyber security. I’m going to put a link to that podcast episode in the show notes, because I think he and I do a good job of really describing in detail how made that transition, what it was like for him. We’ll talk a little bit about that today.
And so then just two years after I first meet Steve, he sends me a note the other day, and I’ll summarize the note for you. “Hey Kip, thought I’d just let you know. I’m now the boss of my team. I’m the director of governance, risk and compliance for Blackberry, a large publicly traded enterprise.” And I just couldn’t tell you how pleased and I was. And I was just like, “people have got to get to know you”. So Steve, thank you for agreeing to spend a little bit of time joining us here on the podcast. How are you?
Steve McMichael:
Hey, thank you guys. I’m great. I’ve listened to every podcast. I’ve taken multiple of both of your courses. So I’m super excited to get to talk to you. And with respect to your summary of my email, it was probably more like, “I have the privilege of leading an awesome GRC team”, as opposed to “I’m the boss”, but certainly you’ve both been a catalyst to help make that happen and I’m happy to talk about it.
Kip Boyle:
Well, look, I know you’re smart enough to understand the nuances of leadership and how you want to be a servant leader and you want to support your team. I get that, but I’m just telling you when I saw your email, I was excited. And I was just like, “damn, he’s the boss!” I was so excited for you. You’re the boss, as in the guy in the video game, the big powerful dude, right? The boss. Anyway, so let’s get to it. I want to cover a few things. And could you give us the origin story? Where did you get started? When did you decide, “I want to be in cybersecurity even though I’m working in accounting”, just give us the thumbnail sketch of how did you get on the career path that you’re on right now?
Steve McMichael:
Yeah, you bet. I started in business continuity management for Blackberry’s call centers. So it was business impact assessment plan test. I was on call for incident response for this global 24-7 operation. As I was doing that, I started doing a part-time MBA. That was about four years. And at the end of the four years, I said, “I want to get more technical. I’ve got one of the security domains, my MBA is a mile wide in a foot deep. I’d like to do something technical.” And I ended up doing an accounting designation, another four years of night school for that. Now at that time I’d thought about getting into information security, but in the mid 2000s, the understanding I was coming to asking people about it at that time was that my profile was a business profile, and it’s not a good fit for this technical domain of innovation security.
So, you busted that myth 15 years later when we caught up. So then the accounting got me into finance. I was an FPA, that’s Financial Planning and Analysis, the forward looking forecasting, budgeting, making business cases, helping navigate and make decisions. I did a ton of variance analysis scorecards like in your CSF course in your book. And then one day a colleague came by, he was leaving the company and he was looking to leave well, and he said, “Hey, would you be interested in back filling me in [inaudible] compliance?” So that was a good opportunity to get some breadth and depth in controllership, score keeping, compliance, auditing. It was my first exposure to IT auditing, we got a lot of information systems to protect in finance.
And I think that’s probably my first exposure to Dion training, because I did the CISA certification. That’s a certified information systems auditor. And in studying for that, there’s a lot of Googling, YouTube, Udemy for the CompTIA type skills that you want to learn for that. As that’s going on, the industry was just exploding. You guys talk about cost of a breach went from $3 Trillion to $6 Trillion to in 2025 it’ll be $10 Trillion, so as a person outside, you can’t help, but see that in the headlines and get curious about it. So like you said, I was listening to the InSecurity podcast with Matt Stevenson, you were a guest on it. I signed up for your course and it was a huge catalyst for me to break through the barriers and get in. And for example, didn’t know what GRC was. Then you explained what it was and here I am today.
Jason Dion:
So I know have some listeners who not even understand what GRC is, that Governance, Risk and Compliance. Can you tell us how do you define GRC and where does that really look like in your company?
Steve McMichael:
Yeah, absolutely. So I’ve been doing it for two years. So please as my mentors, help me round this out, but here’s where I’ve landed. Also, I want to make a quick disclaimer, similar to your federal reserve guests, views expressed are my own, I’m not a spokesperson for my employer. So here’s how I look at GRC. I’m into outcome, so what do you get? So when you have good governance, everybody knows the company’s objectives, and it’s risk appetite, and they make decisions that are aligned to it. Risk management, so that’s about reliably achieving objectives, because we have guardrails and due diligence in place. That might sound bureaucratic and slow and full of friction, but the fastest cars have the best brakes. And then compliance is that we do what we say we do, and can prove it. You could also call that integrity and you guys have talked about that, it’s basically the foundation of everything is integrity. And then we have a service catalog of 11 things that get to those outcomes.
Steve McMichael:
How did I do there?
Jason Dion:
I think you did great. When I think about governance, I always think about left and right boundaries, right? Because the C-suite the CEO and all of those folks, they need to kind of say, “Hey, here’s how we want to run our organization”. And that allows the directors in each individual area to be able to run the organization, according to the larger vision, based on the governance and policies of that organization. I think you nailed it right on risk for sure. It’s all about maximizing the outcome and minimizing any risk or uncertainty of doubt. And compliance, especially for you guys as a publicly traded company, there are rules and regulations that you guys have to do, to show that you are doing these controls, that you are protecting your customer’s data, that you are designing your systems properly. And even from the accounting side that you guys, Sarbanes Oxley where you started, are doing the right accounting based on this publicly traded company status to make sure the investors are being taken care of as well.
So I think that’s awesome. And I thought it was very interesting when Kip told me you were coming on the show because you’re coming in from that accounting background into GRC. And that’s one of the things we always talk about with the two step version or mid-career transition people, is that a lot of people who are coming from bookkeeping or accounting do really well in GRC. And they think, “oh, I’m not a cybersecurity per person. I’m not technical. I don’t know how to get into cyber security.” It’s like, “well you have all this great skills from doing all this compliance work before, go into GRC.”
And a lot of people don’t like GRC. A lot of people think it’s boring. It’s too much controls. It’s too much paperwork. So there’s a lot of positions in GRC that are available. It’s a great entry point into the larger cybersecurity realm. And you can either stay in GRC and move up like you did. Or some people want to get more technical and then move over into more of an analyst or a pen tester role. And that’s okay too. But I think GRC, especially for people who are mid career already and trying to transition, it’s a great place to look. Kip, what do you think?
Kip Boyle:
Yep. First of all, I really enjoy the GRC work that I do with my customers. I love the idea of setting guardrails, talking about risk. Risk is a thing that a lot of people just don’t understand. They conflate their own personal risk tolerance with the organization’s risk tolerance. I mean, there’s so much good work that can be done there. You can really help people figure out how to achieve their goals without taking too much risk. And I want to give a plug out too, by the way, a couple months ago, I released a course on LinkedIn Learning called IT and Cybersecurity Risk Essentials, which poor Jason… That used to be Jason’s course-
Jason Dion:
Steal my course Kip.
Kip Boyle:
…but there’s a whole bunch of contractual backstory as to why they wanted a new one, and why they asked me and so on and so forth. So Jason and I are still friends, even though my course took his course’s place. But listen, if you’re curious about GRC and you have access to LinkedIn Learning, go take that course that I just released because I do talk about risk and a little bit of governance and a little bit of compliance and it’ll give you a good introduction. But I really enjoy it. And there’s so much opportunity as you said, Jason.
But Steve, from your point of view, and we’ve already said, some people say GRC is not a very attractive career source, we think it’s underrated. What do you think?
Steve McMichael:
Couldn’t agree more Kip. So I think, and also again, understanding how GRC is underrated. You also need to appreciate, as you guys have explained, how the same job is super different, public, private, big, small. So probably Jason, your experience in the biggest corporation in the world, and all of its bureaucracy is probably very different than mine at a software company. But yeah, I think Sarbanes Oxley compliance is underrated. And then I think also it’s an underdog story here that GRC is underrated.
So I did kind of give this a lot of thought and kind of listed out my points and I made it a comment on your YouTube channel and I’ve got them. So it’s like number one, we’re revenue enabling. That’s where you want to be, that’s where you can make an impact. Compliance is based in customer demand. So my team, we report monthly on these are the customers that want… what’s their annual contract value? And any time we meet with you to do an audit, we got to be really clear on what the business case is for why we’re even talking.
So that’s just a good place to make an impact and to drive the business. But, why is it fun? Because some say it’s not. So going to my points, you get great depth and breadth of exposure. So I’m throwing out the script, but the comments are on YouTube. So if I think about it, when I wanted to get into compliance, it was because the breadth was really attractive. You talk about the T shape and the pie shape. But I have an opportunity here to talk to an expert in each domain right across. And that big perspective is something that compliance gets and executives get. So that’s a pretty unique thing. You also get access to leadership. So that’s an interesting opportunity as well.
Business is booming. We need trust and assurance. I think coming from the big, heavy regulated finance, like SOX is 20 years old, from the world crom Enron scandals and how we needed compliance to shore up those risks so we can have liquidity and capital markets and trust. Now it’s the time for cybersecurity to kind of go in a similar place. Customers need assurance and it’s how you can deliver it. So you can make an impact, you can get depth and breadth. And further to your points Jason, about thinking about it, even if you want to get more technical, I think it’s a great place to do a rotation in, and then rotate out. But you’re going to get exposure to a lot of great learning and opportunities and ways to stretch yourself and to make a business impact.
Jason Dion:
Yeah, I totally agree with that. Especially the breath part of it because as say you’re touching each and every part of the organization to be able to do that compliance. Where I come from in the military world, we used to always say tactics are for beginners. And when we talk about tactics, we’re talking about hands on keyboard, actually running scans and things like that. But really that operations and strategy level, that’s where the hard work comes in, where you’re going across the entire organization, seeing how every part of the business is functioning or every part of the organization is functioning and making sure everybody’s going in the same direction to be able to meet all those compliance goals. And it’s not just a checklist on paper, because if you’re just doing it for the checklist on paper, you’re not getting any benefit out of it.
I know Kip, you talked about this in this cybersecurity framework course, if you’re just going down the checklist and say, “yep, I did it. Okay, move on”, you’re not going to really get any benefit of cyber security out of it. But when you actually look at it from a compliance standpoint and why you’re doing it and to be a business enabler, you said in a publicly traded company, you’re a revenue enabler, in my world, we are just trying to be a mission enabler. But both ways are enabling the organization to do what it does at a higher level. And that’s really where that professionals and the operations and strategy comes in versus just the hands on keyboard, individual contributor role. You have such a bigger impact because you’re touching so much more than the organization in my opinion.
Steve McMichael:
It’s not just… Oh, go ahead Kip.
Kip Boyle:
Go ahead, Steve. I wanted to take it in a slightly different direction. You wanted to respond, say something.
Steve McMichael:
I think, and it’s not just that we’re doing the checklist to satisfy the customer. We’re focused on adding value, we’re focused on reducing our risk footprint. You’re coming in and asking good questions. So coming from the DOD machinery, you might not even believe me if I say this, but I’ve gone from someone saying, “wow, that wasn’t so bad, that wasn’t so painful”, to, “Hey, I think we actually improved our risk footprint there”, to me saying, “Hey, I hope you had a good experience reduced your risk footprint”, and they said, “well, Steve, actually that helped me improve the culture on my team”. This is actually… And too, “Hey, we have a project coming up. Can you please be involved?”
So when you focus on how to do auditing well, and it’s not a check within, it’s not to waste people’s time, it’s to optimize use of their time. Be brief, be brilliant, be gone. Think about what’s in it for me. The WIFM. And you can do that in any compliance discipline, and it’s fun to win those hearts and minds by just doing a good job, adding value.
Kip Boyle:
Man, there’s so much you’re saying that that is just resonating so strongly with me. I just wanted to just touch on a couple of points. I appreciate in a GRC role, the opportunity just to be closer to how the business makes money. That’s where Kip wants to be, working in the bowels of the engine room, pulling levers and pressing buttons in order to make systems work. I just don’t find that to be very satisfying. It is very clinical, it’s antiseptic, it’s disconnected from reality. And quite frankly, if the company starts not doing well and senior leaders start looking around and saying, well, who can we live without? Well, that’s not a good place to be, in my opinion. You want to be seen as indispensable. And so I think that’s a good way to do it.
Another thing that I want to call out is there are a lot of people who come to me and say, “Kip, I want to be a Chief Information Security Officer one day, that’s my career goal”, and they’re currently working in a very technical role. And so I say to them, “well, I hope you don’t think that the CISO role is all about technology like a CTO, because it’s not. In most cases, you are going to have to figure out the people and the process and the management part of how you make cybersecurity happen. It’s not just about technology. And if you don’t want to do those things, then you might not want to become a Chief Information Security Officer, because I don’t know how long you’re going to last.”
So you talked about having a rotation at the GRC, as I would call it a career broadening experience. In the Air Force, that’s sort how we would phrase it. So if you are headed for a CISO job, anybody in the audience that’s listening right now, and you haven’t gone into a GRC role, you really need to rethink that. And I think that’s a great way for you to prepare. Jason, any comment about that?
Jason Dion:
Yeah, definitely. I’ve done a lot of reading on big companies and how people get to being in the C-suite, whether that’s a CTO, CISO, COO, CEO, whatever. And it’s interesting, because just as you said, in the Air Force, you have these career broadening experiences where you go into different jobs to get experience across a wide breadth of the organization. And it’s the same thing. If you want to be the CEO, you probably needed to work in heading up accounting at some point, heading up human resources, heading up sales, heading up marketing, whatever it is. Usually they have three to five of these key areas of the business underneath them by the time they make it to the C-suite. And GRC is one of those things that you can do early in your career and really touch a lot of the organization and get that breadth, as Steve said.
Steve, I’m curious. What do you think were some of the key success factors in getting established within GRC, coming from the world of finance and accounting and then within two years you became the leader of it. That’s pretty quick.
Steve McMichael:
Yeah, I think there’s like a people component there and then there’s the technical skills component. And when I reflect on it, think of that question, people comes to mind first. We got a fabulous team and the team’s been successful. Jim Collins, Good to Great, it’s old business textbooks-
Jason Dion:
Great book.
Steve McMichael:
…But those are good principles and they stand this as the time. So it’s like the first thing you need to do is get the right people on the bus, in the right seats. So I came to the team, bringing this heavier compliance experience. We were fortunate to recruit, flip a co-op student into a full-time software developer. So he’s indispensable for his software development, technical chops, that I aspire to work towards but I don’t have. We brought in a program manager who’s been at the company 20 years, and knows everybody and is really good at maturing processes and basically being the tip of the spear for intake and reducing friction in the business as we fortify our defenses.
So with respect to the bus and its seats, three new people with new blood into the team and then the existing team was very seasoned cybersecurity professionals and it was “what do you want to start doing? Stop doing? Keep doing? So that we can get good outcomes.” So number one, I’m kind of blown away by how the team comes together and gels and has a good vibe to get good outcomes.
On the technical side, you guys touched on the T shape and then Wes and Kip went really deep on the T shape, in terms of, you got your business acumen and your technical acumen. And the business people need to get more technical and the technical people need to get more business savvy. And then take one technical domain and go deep on it. So for me, that was coming from the IT auditing, the focus on integrity in the CIA triad. I’ve done four years of change management and access management controls for financial systems. So that’s what I kind of latched onto. The same control owners for on the identity team that I worked with in Sarbanes Oxley, were the same ones over here for GRC audits. And that kind of was helpful.
And then also I think a couple of points on the business, people getting more technical and the technical people getting more businessy. So if this were an accounting podcast on accounting career paths, they’d be talking about folks like digital transformation. You need to get more technical. When there’s a digital transformation, you’re not just doing the same thing you did on paper, on a computer. There’s a paradigm shift where everything is different. So continuous learning, upskilling, more technical. There’s CPAs in Canada getting drone pilots licenses to count inventory with drones. And then on the technical side, it’s like, “Hey, there’s this issue, there’s a static URL. What do we do?” And a circuit career engineer says, “well, we’ll lock it down.” It’s like, “whoa, pump the brakes. Can we do a problem statement, alternatives, decision criteria, analysis, recommendation, implementation plans? When you turn it off, who’s it going to impact?” So anyway, so I think there’s a lot of that convergence, and opportunities for everybody to grow. So I brought the auditing, right people in the right seats and we got some good outcomes and we got a good vibe on the team.
Kip Boyle:
Yeah. I love the kind of cross functional dimension that you’re bringing into this. And I particularly want to applaud that you said you brought somebody in on your team who has long tenure with the company. And tell me again, what role are they playing?
Steve McMichael:
It’s a senior program manager. They do intake. You get those executive requests and you need a tip of the spear to… And due diligence memos for security risk assessments, and a variety of things. But it’s just like process architect, reduce friction, and then now the process is in place and more mature and now someone else can do it and move on to the next, and even the service catalog.
Kip Boyle:
So I don’t know if you recruited this person for the same reason that I made a similar move when I was CISO. But I was new to the organization, you’re not as new to your organization as I was to mine. But I realized that I had a disadvantage because I was working in a high tenure organization, I was kind of a baby still when I showed up to be their CISO. And so I recruited somebody who’d been there for 20 years. Because like you said, he brought all the relationships and the deep understanding of how things really work, not just what the org chart says or what the process flow diagrams say, but he knew how things really worked. And so adding somebody like that to my team really amplified what we could get done because he knew who to go to get the informal agreements that you need to get sometimes, in order to get people to agree, to change the way we work anyway.
So I don’t know if that’s why you did it, but I wanted to bring that out because whether you’re doing GRC or something else, whatever your function is, we all want things to get better. We all want things to improve, we want people to consider doing things differently and that’s such a relationship driven thing. And so again, if you’re going to be a CISO one day, you better understand how relationships work in your organization so that you can take full advantage of that way of making improvements. Jason, has it been the same for you or different?
Jason Dion:
Yeah. I mean, I think it’s a lot of that goes back to soft skills and your people skills, and even in big bureaucratic organizations, like the DOD that I worked in. I worked in a couple of areas, especially in cyber that were relatively new to the DOD and trying to get traditional war fighters who are used to jets and tanks and ships to understand that cyber’s important, and give us some money so we can actually do this thing and build it out. A lot of that was making that business case of why we should spend taxpayer dollars on that stuff, and getting the buy-in because generally it’s a zero sum game. If I’m getting a billion dollars in cyber, that means somebody else isn’t getting another aircraft carrier or something like that because that billion dollars had to come from somewhere. And a lot of that happens in business as well.
And so it is these kind of course trading deals where you’re like, “okay, we need this thing to do our GRC work, we need three more people”. Well, generally organizations aren’t just going to create three new jobs because that’s a lot of salaries. So it may come from a different department, or somebody else may be downsized so that they can make room for you to have the budget. And those kind of things happen all the time. And I think if you’re able to understand that, and as Steve said, got to put what is the bigger vision for the business first, and what the outcomes you’re trying to achieve you can get a lot further.
The other thing I thought that was really interesting that Steve brought up was the digital transformation. I think a lot of people misunderstand digital transformation with workflow automation. And the greatest example I think about this is generally like taxi cabs. I was just in New York last week, and if I wanted to catch a taxi cab, the traditional old way was you went to a payphone, back when those existed, you’d call up the central number and they would call a taxi over to the radio, and 20 minutes later, somebody would show up at your hotel to pick you up.
And then Uber came along and they used this great technology, but they didn’t just do an automation where I could basically text, and then it would go through that whole same system. Instead they had this whole transformation using the new technology of GPS and smartphones. And now when I pull out my phone to call an Uber or Lyft, they’re there within 30 to 60 seconds because there’s already all these cars that are running around and they already know where you are and you don’t have to call them and give them directions. You just say, “come get me”, and they know exactly where you are. And that was just a complete transformation of that industry.
Another great example of that is the US tax system. When I was a kid, I had my first job, I had to fill out my 10-40 Easy form and you actually printed out, you went to the library and you got this piece of paper with the book that explained all the forms and what blocks you to fill in. And then in the late nineties, there was this thing called TurboTax. And it wasn’t just a workflow automation of filling out a PDF of that form, in a more easy way. Instead, they transformed the whole experience by asking you yes or no questions, making it easy so anybody could do their taxes. And it really just changed that whole industry. So whether you like TurboTax or not, they had a huge impact on the way all Americans now do taxes.
And that really is what we talk about when we talk about transformation. It’s not doing the same things in an automated way. It’s doing different things by looking at the process, what are the steps you actually need? And not just simplifying the process, but thinking through what is the best way to do this overall thing, to get the outcome that you’re looking for? Because it’s not just doing the same thing, faster, it’s doing things differently in your organization. And right now we are just in a huge period of transformation. Most industries over the last two years, because of COVID, had to transform. They were forced into it, even if they were dragging their feet, and it has changed a lot of the way that we are working, so I see a lot of that.
And the other thing that I thought was really interesting, especially about Steve’s journey is he doesn’t have a master’s degree in IT or cyber security. His master’s degree was a MBA, Masters of Business Administration. And then he went back and got an accounting master’s degree and he didn’t have to go back and get another master’s degree and go back to college to go get into cyber security. Instead he used his existing skills, he used his existing degree and he got something that was a relevant transition step, which is the Certified Information Systems Auditor. And for most people, if you haven’t looked at certification, I think almost everybody I know who’s gotten that certification was an accounting background type person. So even though it is an IT or cybersecurity type certification, that auditing role really is usually done by accountants and bookkeepers.
I have a friend he’s in cybersecurity and his wife was an accounting person, she worked for a large Fortune 100 company that does audits for compliance and things like that. And she went and got her CISA and she had to learn all the tech stuff to be able to pass that exam because she came from the accounting world, not the tech world. But now she does that for a living, similar to the way that Steve did. And I think that this goes back to transferable skills, figuring out where you are, what are the closest… There’s a great book called 40 days To The Work You Love. And he talks about, you grab the flowers that are closest to you. And you go, “okay, what skills do I have> Now what jobs can fit those skills, that I would love?” And I think that’s what Steve did here as he went through from his accounting transition into this GRC role.
Kip Boyle:
As we wrap up the episode, I just want to commend Steve again for what he’s been able to accomplish. I hope that people in the audience are going to be inspired by what he’s done. And one more thing that I want to talk about, because you mentioned transferable skills. And early on in the episode, Jason, you mentioned a two step, right? So I don’t know, Steve, if you’re planning to use your current position to make another step towards a more technical role? And you don’t have to say either way, if you’re going to.
But I want to make a point, which is Steve, you now have people on your team who are technical, and you have access to lots and lots of other people who are very technically oriented with lots of tech skills. I would think, and this is something I want you to answer for me, but I would think that if you wanted to move again to a more technical role, you would have so many people available to mentor you, and to help you make that transition, that it’s possible. Now again, whether you’re planning to do that or not, what do you think about my observation that where you’re at right now, you would have all these people supporting you if you wanted to.
Steve McMichael:
Yeah, totally. I think when you’re in compliance, you’re in the second line of defense in the three lines of defense governance framework. The control owners own the controls. And they are soup to nuts, everything in your CSF, identity, asset, everything. So certainly we partner closely with the architecture team, the SOC, the systems team, everyone under the IT organization. And you own the control, it’s your technical skill, but I help you because I remove the friction and make it less painless to go through the compliance process. And by the way, we’re adding value at mitigating risk and getting the revenue. But then you’re helping me because I just have this exposure to fabulous, exciting knowledge about cybersecurity that I’m trying to absorb as much as I can, I’m like a kid in a candy store.
I want to keep certing up. I’m Watching Jason on Udemy all the time. And then with my team, it’s like, “where do you want to go? And how do you want to get there? with this great online learning stuff that’s out there. And then in terms of, I haven’t planned a next step, I’m just so happy in my current one. But certainly the relationships and the skills and the continuous learning make me feel in a pretty happy spot. Because there’s a lot of different ways to go from this point in the path into many more.
Jason Dion:
And I think even with Steve’s background coming from the business world and the accounting world with his current certifications and his current role, he’s on track for a traditional CISO type position in the future as well, if he desires to get there at some point. Because he’s getting all those skills and getting that breadth and depth across the organization as well. And coming from a very large organization, he could easily move into one of those type of roles in either his organization or another organization over the next 5-10 years. Because he’s building up that foundational knowledge and framework that he really needs to have to be able to do that job successfully. Because as you said, CISO is not necessarily a technical job, it is a lot of people and processes and business and compliance and it’s all that stuff that Steve’s doing currently.
Kip Boyle:
Yeah. So Steve, I don’t know if you realize that Jason and I think you’re on the CISO track, but you are. So that would be a wonderful next place for you to go. And what I particularly like about you being on that track, if you wanted to take advantage of it, is because you don’t come in with a deep technical background, you probably won’t feel the temptation that a lot of people feel when they come in with a deep technical background, where they can’t keep their hands off the keyboard. They’re just constantly tempted to get in there and twiddle the keys and they’re robbing their people of development opportunities. They’re not doing the essential things that only they can do. It’s an anti pattern, it’s really dysfunctional, and I don’t think you’re going to fall into that trap.
Okay. So I could talk about Steve and all that he’s done and the lessons that everybody could learn from him for a long time. But I think we’re done for this episode. So Jason, do you want to wrap it up for us?
Jason Dion:
Certainly. I want to thank Steve for sharing his time. I know he’s a super busy guy running the GRC team over there, up in Canada, and I really appreciate him coming out here today. It was great to be able to talk to him and kind of figure out what things our audience can learn. And I think a lot of the key takeaways are GRC is a great role to get into in cybersecurity. So definitely looking into that if you’re not already in cybersecurity and you’re trying to make the switch. If you come from another background, look at what your current skills are, and you’ll be able to use that to get yourself into a role. And same thing to start all the way at the bottom as a Junior SOC Analyst or something like that, it’s a lot easier to get in because you have experience. You just may not realize you already have that experience.
So look at your current skills and see what’s relatable. And then remember you don’t always have to go back to college to go get another degree in cybersecurity or IT to be able to get a job. Most places, once you have a college degree, that’s usually sufficient for them. And then it’s more about getting those little certifications to show that you have knowledge in that particular area. And that’s exactly what Steve did as well, with the CISA. So keep all that in mind.
That said thank you for joining us again for another episode of Your Cyber Path, and we’re going to see you next time. So we’ll see you at yourcyberpath.com. Thanks.
Kip Boyle:
Bye everybody.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!