A conversation with Mike Zachman, Zebra Technologies' vice president and chief security officer. This is one of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
Mike Zachman is currently the vice president and chief security officer (CSO) at Zebra Technologies. He has global responsibility for its enterprise-wide product security, information security, corporate security, and business continuity programs. Prior to Zebra, Zachman was the first chief information security officer (CISO) at Caterpillar, as well as Ecolab. Zachman holds an undergraduate degree in management information systems from Millikin University, and a master’s degree in business administration from Bradley University. He is a Certified Information Security Manager, Certified Internal Auditor and is Certified in the Governance of Enterprise IT. He is an active volunteer with Junior Achievement and serves on the National Board for Easter Seals.
What makes a successful security leader?
A successful security leader must be a courageous, credible, and risk-minded leader who values collaboration with their business partners and aligns their security program with company strategy. A key technique of successful security leaders is fully leveraging the knowledge and experience of their peers in the security community, their vendor partners, and government/law enforcement.
What are some of the external priorities and internal priorities that leaders should be focusing on?
First, know your environment. It’s extremely difficult to protect what you do not know you have. This seems very basic, but it is a common issue for companies. Keeping a current list of systems, applications, and devices is a surprisingly difficult task. Knowing which systems are the most important is even harder, but having a prioritized inventory of digital assets is the foundation for designing and executing a security program. Imagine it’s your job to keep a group of school kids safe on a field trip, but you don’t have a list of who is going on the trip. That list is probably the first thing you’d ask for before leaving the school.
Second, know your defenses. Based upon your inventory, you need to make sure you have taken appropriate steps to protect your assets. “Appropriate” is an important word, because not all assets should be protected the same. To use a common example, a company’s “crown jewels” should be highly protected, while its cafeteria menu should not. Constantly look for gaps in your defenses. After all, that’s what the cyber criminals are doing. If you lock 99 out of 100 windows, the criminals will find that one unlocked window. Always be on the lookout for your weakest link so you can strengthen it.
Third, practice your response. Companies will have a security incident/breach. It is simply a matter of time, so any good cybersecurity program includes effective incident response. As I mentioned earlier, one of the most critical parts of an incident response is the pre-planning efforts that happen in anticipation of a future breach. It is in these pre-planning activities that companies have the best chance of ensuring a rapid and effective response to a security incident/breach. Think about fire drills; the time to figure out evacuation routes is not during a real fire. It’s not enough to have planned those routes; we are required to practice them via fire drills.
Finally, communicate well. People equate security with secrecy; and there is some truth behind that. However, good cybersecurity programs need to also be properly transparent. For example, executives need to know and understand the cybersecurity risks facing the company. An effective program does not overstate the risks by spreading FUD (fear, uncertainty and doubt) in the hopes of getting more budget. An effective cybersecurity program also does not understate the risks to get good ratings or avoid difficult conversations. Transparency is paramount when dealing with external stakeholders. The past approaches of denials and “sugar coating” breach disclosures to the public have often proven more harmful to the company than the breach itself. As the adage says, “It’s not the crime, it’s the coverup” — the same is often true with security incidents/breaches. External stakeholders are much savvier than companies may believe; they are able to understand the facts — good and bad — regarding security incidents.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
Building relationships with other executive leaders and your board is essential. Be seen as a business enabler, not as a hurdle. The use of fear, uncertainty and doubt simply won’t do if you want to be perceived as a true leader. The ability to influence is critical to the success of a cyber program, and your ability to influence will be determined by your credibility and ability to communicate.
Listen more than you speak. When you speak, don’t talk about vulnerability counts and technical controls; talk about cyber risks within the context of the business. Don’t be the “Department of NO” — be the “Department of KNOW.” Provide options, opinions and recommendations. Support risk-based decision making.
What kinds of non-technical training do security leaders need to be successful in leading global enterprises?
Security leaders need the same training as any successful executive. Key training should focus on leadership and communication. The ability to create and drive a common vision, aligned to the overall business, is fundamental. How to build, motivate and maintain your team is essential. The ability to influence others is a critical success factor.
Why did you join the Cybersecurity Collaborative?
I value the power of the collective wisdom found through the cybersecurity community. Peer networking and collaboration is a valuable “easy button” that we all can use. In addition to peer networking, the Cybersecurity Collaborative goes further by organizing Task Force teams to bring resources from various members together to address commonly prioritized issues.
What has been valuable to you with your membership in the Cybersecurity Collaborative?
I have personally found the greatest value in the well-organized peer networking events as well as the daily emails with cyber-related news headlines. My broader team has benefited from the training available through the Cyber Leadership Academy as well as several of the Task Force teams.