The Dig Leagues – Our Interview with Mike Wilkes

Sharon FarberSharon Farber
table of contents
The Dig Leagues – Our Interview with Mike Wilkes

Mike Wilkes is a Chief Information Security Officer that has built, transformed, and protected companies such as SecurityScorecard, ASCAP, Marvel, AQR Capital, ING Bank, Rabobank, CME Group, Sony, and Macy's as well as European banks and airlines. Nominated in 2020 to the World Economic Forum as a technology pioneer, he provides thought leadership on cyber resilience in the oil and gas industry as well as quantum security working groups. A graduate of Stanford University and author of a book for Cisco Press in 2002, he is a featured speaker at technology conferences for Black Hat, Gartner, GovWare, and SANS and is a professor at NYU teaching cybersecurity courses. An avid jazz fan and musician, he is also on the board of trustees for the National Jazz Museum in Harlem and advisor to several startups.

Tell us about your background

I’ve been a CISO for the last 6 years, but I’ve been doing security work on the internet for the last 20 or 30 years. It was the roaring twenties of my generation, and at that time, there were no CISOs. I’ve had the privilege of working in many different industries throughout my career, from e-commerce, to gaming, video, oil and gas, banking, venture capital, entertainment, and more.

I was fortunate enough to move from California to Amsterdam with my wife and work in Europe for 11 years. We moved back to New York about 10 years ago, where I worked at the Chicago Mercantile Exchange managing their enterprise server platform. Then, I moved on to do the world’s most important job: protecting Iron Man and The Hulk as the CISO of Marvel. From there, I’ve held other various CISO and security positions and I continue to participate heavily at industry events. I also currently teach a cybersecurity course to students at NYU. 

What is your cybersecurity leadership style and approach?

I like to think I take a mission-driven, values-based approach. I don’t just want to have a big fancy logo on my resume, I want to do something that I believe actually makes the world a better place. I take a lot of inspiration from Reed Hastings’ Netflix Manifesto, which talks a lot about freedom and responsibility for employees. I like to draw inspiration from that when delegating to my team. I give them 100% freedom and 100% responsibility to do the job. I want everyone to act like an owner of the company and to spend company money as if it's their own money, or pick protective tools as if they’re protecting their own identity or assets. 

As a CISO, there can be a security incident of any magnitude at any time, so I also make sure to have “social contracts" in place with my team that go way beyond a regular “business contract,” or the typical exchange of time and attention for money. A social contract for me and my team means if there’s an emergency at 2:00 in the morning and I call you, you’ll pick up, and vice versa. 

What have been some of the biggest changes you have witnessed over the course of your career?

There's a pendulum swing in various industries, where we go towards centralized computing and then we go towards distributed computing. In the early days, there were really strong central computers and really primitive terminals. With the advent of distributed computing, we’ve been able to offload a lot of work thanks to more powerful workstations and PCs. But now, we’re seeing more centralized computing coming back. 

I don't think that there are necessarily major shifts in technology other than these pendulum swings. For example, in the telecom industry, the pendulum swung to providers bundling all of their call, text, and data services. Then, once they gave consumers all of the bundled services, the pendulum swung back the other way. I've been able to notice and participate in many of these kinds of cycles over the years, like the shift from in-store sales to online, and back again. 

Another big shift I’ve noticed has to do with the move to the cloud. We now have the most powerful compute platforms we’ve ever had, an endless amount of information you can search for, and people continually embracing solving problems using computers. We basically have the Library of Alexandria in our pockets, but it’s critical to know where your data is. There are now providers like Dig that are in the business of helping people discover assets that they don’t even know they have. Dig offers critical coverage that was previously missing in the cloud security landscape via their solution that combines Data Security Posture Management (DSPM) and real-time Data Detection and Response (DDR). DSPM enables organizations to quickly locate their most critical data in both structured and unstructured data assets, and DDR ensures an immediate handling of newly discovered data-related incidents by integrating with existing security solutions. 

Would you say people across organizations are proficient in identifying and securing their data assets?

Most security-proficient professionals and practitioners are very disciplined and concerned. What I find is that the adjacent space in the org chart is sometimes reluctant to embrace knowing about security. Let’s look at lawyers for example. As soon as a lawyer finds out about a risk, they know that they are culpable for mitigating and addressing it. But I’ve heard of executives asking for a security assessment from a provider and then asking them to destroy all copies of the report once completed because they’d rather ignore the information than be culpable and liable given the new knowledge they have about their risks. I think that's obviously a very backwards approach, especially when it comes to vital security measures. People need to understand that it's not a matter of if you will be breached and attacked. It's a matter of when and how often. 

What is a major cloud data security trend you’re paying attention to in 2023?

I've been paying attention to TDF, or trusted data format. TDF was invented by the NSA and it’s used in products like Virtru and others where you can have client-side encryption. The idea is to have zero knowledge so there is no liability. Even Google is getting into it and architecting Gmail and other things to minimize their exposure and risk of user data in the cloud. With TDF, you can also dynamically redact the objects of an appendix inside of a Word document based on a company or person’s security policy. So, the security policy follows the data, even as it goes out the door and goes to other networks and other devices. I think that’s pretty cool. 

Do you have a piece of parting wisdom for today’s security leaders?

A quote I love to reference is “there are two types of CISOs: pre-breach CISOs and post-breach CISOs.” Pre-breach CISOs are all about the tools, but once a breach happens, they realize it wasn’t the tools that mattered. It was the people and the process. If you don’t have good people and processes in place, every tool will fail. I urge leaders to work on security awareness, training, and leveling up the skills of their team. Don’t worry that people will leave, worry that people will stay in an unimproved state. Take the time and effort to invest in continuous education and improvements for your team and the organization at large. 

I also recommend everyone join their regional or industry ISAC (information sharing and analysis center). There are different ones based on industry and specialization, and it’s a great way to share information, learn about threat intelligence, and gain exposure to other people and other practices. That’s the way we raise the boat, by lifting the tide for everyone. 


No items found.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed consectetur do eiusmod tempor incididunt eiusmod.