Cybersecurity Fundamentals with Mark Houpt of DataBank

Author: Scott Kinka

The Bridge Podcast - Mark Houpt Databank_LOGO 600x340On this episode of The Bridge, I’m joined by Mark Houpt, the Chief Information Security Officer at DataBank. We’re talking about cybersecurity fundamentals—current challenges, the global landscape, why relationships and communication are critical to cybersecurity success, and so much more.

DataBank is a leading provider of enterprise-class data center, cloud, and interconnection services, offering customers 100% uptime availability of data, applications, and infrastructure. DataBank’s managed data center services are anchored in world-class facilities. Their customized technology solutions are designed to help customers effectively manage risk, improve their technology performance and allow them to focus on their core business objectives. 

During our conversation, we got into overall cybersecurity fundamentals, like why transparency and customer service are key values for Mark and Data Bank and how the biggest challenge in cybersecurity is not the technical aspects but the apathy and ignorance towards cybersecurity. And that was just the tip of the iceberg!

Topics covered in this episode:

  • Mark’s Role as CISO and the CISO Corner podcast.
  • Data Bank’s growth and expansion and their focus on security as a top priority.
  • The current threat landscape and evolving security concerns.
  • What’s happening in the changing landscape of cybersecurity threats?
  • The importance of immutable backups.
  • Why the regulatory environment, including privacy
  • regulations like GDPR and CCPA, is a significant driver for security concerns.
  • Cyber warfare between nations and why threats haven’t diminished.
  • The vulnerability of small and medium-sized businesses and some advice for small business IT directors.
  • Creating a strategic plan and addressing risks.
  • Why building relationships and collaboration is critical for success.
  • Shameless predictions for the future.

Links for this episode:

Mark’s Podcast

Cybersecurity Fundamentals with Mark Houpt of DataBankABOUT MARK HOUPT

Mark serves as DataBank’s Chief Information Security Officer and is responsible for developing and maintaining the company’s security program road map and data center compliance programs. He brings over 30 years of extensive information security and information technology experience in a wide range of industries and institutions. Mr. Houpt holds an MS-ISA (Masters Information Security and Assurance), numerous security and technical certifications (CISSP, CEH, CHFI, Security +, Network+) and qualified for DoD IAT Level III, IAM Level III, IASAE Level II, CND Analyst, CND Infrastructure Support, CND Incident Responder, and CND Auditor positions and responsibilities.

Mark is an expert in understanding and the interpretation of FedRAMP, HIPAA and PCI-DSS compliance requirements. He is an active member of ISC2, ASIS International, COMPTIA, IAPP, and ISACA, among other leading national and international security organizations. Mark drives DataBank’s information security and compliance initiatives to ensure that the company’s solutions continuously meet rigorous and changing compliance and cyber-security standards.

CONTACT MARK

Web. https://www.databank.com/about-databank/leadership-team/

LinkedIn. https://www.linkedin.com/in/mark-houpt/

SUBSCRIBE ON YOUR FAVORITE PLATFORM

          

Full Transcript

Scott Kinka:

Hi, and welcome to another episode of The Bridge. I’m excited about this one. Our pre-call was great. My guest on this episode is Mark Houpt. He’s the CISO, Chief Information Security Officer,  at DataBank. Welcome to the show, Mark.

Mark Houpt:

Thank you very much, Scott. It is my pleasure to be here. And yes, our pre-call was fantastic, so let’s get this rolling.

Scott Kinka:

Yeah, I’m all about it. First, where are we speaking from? Where are you located?

Mark Houpt:

A bunker in a cornfield in central Illinois. That’s where I’m at. No, I’m not. Chicago.

Scott Kinka:

Is this your bunker? Are you one of those guys or this? Are you in a data center?

Mark Houpt:

No, I am actually a remote employee, and so is the rest of my team. That’s why I kind of play that. Anytime I say Illinois, people immediately think Chicago and I’m 200 miles south of Chicago, right in the center of the state. That’s why I say that.

Scott Kinka:

Fantastic. Have you always been from Illinois?

Mark Houpt:

No, I’ve grown up. I’m a military brat, and some would say I’m just a plain brat, but I’ve grown up all over the world, in the UK, Japan, and all across this country. I was on active duty myself. My father did 20 years of active duty, so I’ve got a lot of experience running around the country and doing different places. But I’ve been here in Illinois for the last, oh, I would say about 15 years, and from my military clock, it’s time to pull the plug and get moving.

Scott Kinka:

I was just going to ask, and no offence to Central Illinois as you laid out there, but you mentioned a lot of exotic places, and then you just spent 15 years self-described in a bunker in a cornfield.

Mark Houpt:

Yeah, yeah. Well, we decided that my wife and I be married and start our life in Indianapolis, the boys. We have three boys, and they were born there. As they started school, we had an opportunity to move over here for a couple of years to serve in a location, and then we decided no, the kids are going to be able to graduate from school in one place. They all have now graduated from school. We are empty nesters, and our wings are sprouting. How’s that?

Scott Kinka:

I get that. Well, we are in similar spots. Raise three here in Westchester, Pennsylvania, outside of Philadelphia, and I have a full house only because it currently happens to be spring break at Penn State, and two of them are home, but my third is already flown, and I have one about to graduate. So we are, yeah, pretty quiet around here most days except when Jean and I have recording days like today, and we’re trying to lay down a handful of episodes of the bridge here. Well, that’s fantastic. Tell me how you got it; we got the military career. Did you go straight from there into DataBank?

Mark Houpt:

No, no, no, no. See, I was in the military from 91 through 95 on active duty, and I started at DataBank in 2015, so I had a 20-year gap between the military and data bank, and during that period of time, I did everything I could to stay in security. That’s really where my passion is. I started in the military working with the naval security group activity doing cryptology, and I tried my hardest to stay in that, but I worked at healthcare companies and finance companies and spent seven years as a CTO and a CISO at an educational institution before transitioning over to DataBank in 2015. So, I’ve been here for over nine years now. I started in January 2015, and I have over nine years as a CISO the entire time, which is an incredible amount of time for any CISO since we have a lifespan of about two to three years.

Scott Kinka:

Mathematically, the statistics would tell you that, which is an amazing story, and I want to get their data bank in a minute, but just quickly, to put it in perspective, oftentimes when you meet people from service providers, they don’t have a lot of customer experience. So it’s interesting you’ve got nine years at DataBank, but all of your experience before that was as an act. I mean, you’ve sat in the CISO seat, let’s be clear, and now you’re serving CISO problems. Is that a good way for me to think about it?

Mark Houpt:

Yeah, I’ve served in many different types of seats and learned that customer service skill, but yes, I’ve been a CISO before I was here at DataBank. I’ve grown with the company from 80 people to now over 800 people from just a few data centers, literally two data centers, up to now over 70 data centers. So, I’ve grown with the company during that period of time, and my skills and abilities have grown as well. So

Scott Kinka:

I’m going to ask you a little bit about DataBank in a minute, but I want to just finish clicking in on one thing. You’re super active in the Cisco community. I mean, when I did my pre-game research before we got on there and I went on YouTube, I looked you up. You were on a bunch of everybody else’s podcasts, but it also looked like you were hosting quite a bit. Tell me a little bit about the CISO Corner that you guys run.

Mark Houpt:

Yeah, so DataBank runs CISO Corner and the podcast got started as an opportunity for us to work with our own sales teams, to educate them and work with our internal teams, including our customers, to communicate to them about security products that we have and changes that we’re going to make. We always said it’s a non-contractual binding conversation, but it does give the customer it gives the people a better understanding of how we do things and what we do because one of the things we like to be is we like to be transparent, and I jokingly call myself the transparent CISO, which is completely contradictory to what most CISOs are. They like to hide and not be seen, but I believe Data Bank believes that if we can be out there and talk about these things, that is going to make everyone better. And that’s really Ciso’s intent. How can I help you be better, whether you’re A-C-I-O-A-C-E-O or even the way I talk about these things sometimes is even right down to the first year person that’s come out of college, that’s come into the environment, here’s how you do security and here’s best how to do that and just kind of help people along the way.

Scott Kinka:

That’s awesome. And you guys are about to start up another season of that coming up shortly, right?

Mark Houpt:

We’re hoping to, yes, and we do want about one a month. We’ve had conversations with our own vendors about bug bounties and how those patches get developed and worked out. We’ve had conversations with leading experts on the criminal justice information system and state ramp, and we’ve had our own internal conversations as well with my director of compliance and my director of physical security and security architecture and just kind of describe how those roles work within the organization. So, there’s a lot of information out there over the past few years.

Scott Kinka:

That’s great. We’ll make sure that we include nodding to our producer, Gene, and provide a link to that in the show notes so that people can check that out. One last question just for you: I’m going to ask you a couple of questions about DataBank before we get into the meat of the conversation. When I talk to people who are in a role, a traditional role that most companies would have, whether they’re a service provider or not, there’s always the question of are you that role for the service provider facing customers? Are you also that role for you as a business entity? So, you are the CISO for the business entity and represent the product and customers. Is that a good way for me to look at it?

Mark Houpt:

Yes, and I would even layer on that customers come to us and ask my advice, ask the advice of my team because one of the things that we promote at DataBank is that we’re here to help you get your workloads into the environments that you have and best secure them or best operate them in the case of our cloud or network team. And so yes, my first and foremost role is to be the CISO of DataBank and Guide and empower our teams internally to apply security not only to our customers’ environments but to ours. But I also have that external role where I get on the phone with prospective customers, I get on the phone with current customers, and we talk through the needs and the various pieces that are necessary to ensure a secure environment. In fact, just this afternoon after this call, I’ll be on with one of our customers talking through a couple of challenges.

 

Navigating the Regulatory Landscape: Why Security Remains a Top Priority for DataBank and Beyond

Scott Kinka:

I love that. So, I’m going to ask you for people who don’t know the data bank story. I mean, you gave a little bit of it to two data centers. Now I think you said something like 80, 70 or 80 data centers, 28 employees to 800. Give us a little bit of that story. While you’re doing that, though, I was listening very intently when you were talking about the role, and you sort of put security in, like yes, as a data center provider, but you’re helping people get workloads and secure them is security. If I were to ask anybody, DataBank, to give me one sentence on DataBank, would security be in the descriptor of the workload transition for everybody? I mean, is it that core to what you guys do?

Mark Houpt:

Yeah, in fact, that conversation would help people secure their workloads or help them develop workloads that are secure. So yes, I think that security would be a significant piece of that conversation. If you talk to most people if not all people at DataBank, I’ll go back to the story in just a second, but we’ve got the magic quadrant, and we went out and asked our leadership, we went and asked our board members and we asked our customers, what is the most important thing that DataBank needs to do strategically in the next three to five years in order to succeed? And security was the top thing. The top far right-hand quadrant of that is to maintain the security that we have, increase the security that we have, and make sure that we’re meeting our customers’ needs. So all three of the leadership factors, our own leadership, our boards and our customers all said security is the top thing that we need to keep our eyes on. So security will be spoken there. But going back to the data bank story real quick, in 2005, data Bank was born in Dallas, Texas, and it was born inside the former Federal Reserve building in downtown Dallas across from the headquarters of a very large communications firm that may or may not have had some problems in the past few weeks. And so right down there, an old building, and we took that over, and that’s how we got our name. It is like, Hey, we’re going to be storing data, and we’re going to be storing it in the Federal Reserve Bank there in Dallas. And so from that

Scott Kinka:

I’ve been to the building. It’s super impressive and really interesting. Yeah, it’s unmistakable, that’s for sure.

Mark Houpt:

That is true. And then there are two little secrets about that building if you haven’t seen them. But if you ever come to Dallas, what we call Dallas one of our headquarters buildings, ask for a tour of the vault and ask for a tour of the gun range because down there, the guards from the Federal Reserve used to go down in the basement and practice shooting their pistols and their Tommy guns and they have a gun range in the basement.

Scott Kinka:

Well, I didn’t get that on my tour. This has probably gone back 15 years now or whatever, 12 years. So I feel a little bit gif, but I will get it next time and maybe you’ll be there and we can do it together. So I get it. So tell me more. So from then, building up from that building.

Mark Houpt:

So, building up from that, our founder and teams they built an organization that was very viable and sustainable up until about 2015. And then, of course, data centers took off in the early 2010s. So they brought on investors and some additional management people. And by the way, some of our key founders were still with DataBank today, so we didn’t sell out and get rid of them or anything, but they’re still there. And so what DataBank did from essentially 2015 until about 2020 or 2021 is that we built a business by acquiring other smaller data centers. In fact, one of ’em was much larger than us, but we acquired a number of additional businesses like Edge Hosting and C Seven out in Salt Lake, and the biggest acquisition we had was Z Colo, coming out of Zao. So, we bought ZA O’s data center business because they wanted to focus on the telecommunications piece. So we bought that, and that was the launching pad for who we are. Now, we’re doing more organic growth, where we’re buying real estate and building the data centers ourselves. We’re building these 800,000-square-foot buildings, and we are filling them before we even get them built. In a nutshell, that’s the data bank story, from how we got our name to who we are today, just continuing to grow. And like I said, in 20 20 17, we had about a hundred, 125 people, and here in 2024, we’re topping over 800. We were at 10 data centers in the 2018 timeframe, and now we’re over 70 data centers. So it’s just amazing, an incredible growth trajectory.

Scott Kinka:

Mark, are all domestic on the data centers, or have you crossed the pond?

Mark Houpt:

Good question. So our focus is on domestic, but we do have a data center in London that was part of the Z colo acquisition, and we love them, but they are over in London, originally part of the Z colo acquisition. We also had five data centers in France. But if you go back and look at our history, we divested ourselves of them and sold them to a company last year in order to focus on our US and then the British side of things since they also speak English. And we can work with those kinds of things fairly easily.

Scott Kinka:

Yeah, I’ve acquired and integrated European businesses, and I agree for me there, the Netherlands. The challenge with the Netherlands, obviously, is that you get into the EU, and then certainly, as a CISO, the regulatory environment becomes wildly different. So I get it. Great stories. Let’s slide back to the security side for a moment. I want to double-click on something that you said earlier on your side. You said that in the three constituencies that you all said, security was the most important thing in the top right quadrant. Here’s what we have going on. We regularly talk here on the bridge talk, and we use Bridgepoint research from Bain and Company, where they have this quarterly sentiment survey about whether your budget is going up or down. Do you have concerns about the budget? What macroeconomic things are you hearing about regarding your budget? What does that mean about your priorities?  How have your priorities changed? So it’s nice we get to constantly look at the priority list quarter over quarter. So now here we are like, I don’t know, 12 quarters in a row, securities number one and everything below it like bucks and weaves and moves, and it was ai. And I mean, believe it or not, now cost containment is number two, and we are way ahead of everything else, and I mean, it’s pretty logical. We want to spend money on AI; we just have to go find it because the budget didn’t go up, but security hasn’t moved, and it sounds simple. Okay, yeah, sure. If something goes bad from a security perspective, it’s earth-shattering to the business. So it should be number one, of course, right? But is there a point, or isn’t there a point? Shouldn’t there be a point where it’s less of a priority because we have it on the rails, right? Why is it still number one in your mind?

Mark Houpt:

Yeah, well, it’s going to stay number one until we finally don’t have any attackers out there, which means that it’s always going to be number one, but that’s a little bit of a tongue-in-cheek type of conversation, but it’s going to be number one, and it’s going to continue to stay number one, because of the fact that right now because of regulation. So, if you had asked me that same question five years ago, I would’ve told you it’s because of ransomware. It’s because of the attackers and reputational harm as a result of the attacks that are happening, which could bring down a business fair. But today I’m going to tell you it’s because of regulation. It’s not just privacy regulation, although that is a very significant piece of it right now, with GDPR coming on board a number of years ago and then the California Consumer Privacy Act and its subsequent renditions. There is talk in Washington of having a national privacy law that exceeds or is equivalent to CCPA. The SEC has gotten involved with regulations for those that are traded companies, states have gotten involved, and the reason that they keep getting involved is because of their constituents and their constituents, not meaning the voters, but those who are really the ones that are kind of paying the bills in the sense of the lobbyists and whatnot. The business owners and the business folks out there, the regulations are coming along because of their lobbyists, and there are people there saying we cannot have another colonial pipeline that shuts down the gas environment. We cannot have another major situation where this attack or that attack causes a massive impact on the economy and the people of the nation. There is plenty of willingness to allow individual companies to be attacked, but when you have a colonial pipeline, or you have a major infrastructure type of attack that occurs, that causes the pain at the wallet and pain of the individuals on widespread, that’s where this is coming from. So what you see now is in response to executive orders that have come out of the White House that have said, if you are even remotely a part of infrastructure and they’ve defined it in such a broad way that even data bank could be considered as part of the infrastructure environment, not just an energy producer because we host energy producers, then you have to comply with X, Y and Z. Now, the interesting thing is that CCPA, the executive orders, which we’ll call EOS going forward and things like that, have not really been tested in court. In fact, GDPR tries to enforce its European rulings with GDPR on us, but it has never been tested in court. So it’s going to be interesting when it finally rises to the level of being tested in court, and then we will start seeing that type of pushback. That’s a long-winded answer to tell you that that is why security is currently top of the mind. Yes, there are attackers coming in, and yes, there’s insurance paying for the ransomware, but right now, it’s the regulatory environment pushing that. Nobody wants to be the one who tests the court case.

Scott Kinka:

Yeah, you don’t want to be the precedent by which all others are measured. Right, in that regard?

Mark Houpt:

Absolutely not.

Scott Kinka:

Totally makes sense. And we’ve had quite a bit of a conversation around regulatory on the pod about none of it’s real until there is precedent set, but the reality of it is it’s real enough that you’ve got to react to it. I think the interpretation, I find, is the thing that the CIOs or directors that I talked to are challenged with. They look at the razor’s edge of these regulations, and they’re like, we have to be perfect. And I’m like, you don’t have to be perfect. You have to have a plan. It’s got to be documented. The documentation has to match the regulation. At the very least, the minimum, the right,

Mark Houpt:

It’s the spirit of the regulation

Scott Kinka:

It’s the spirit of the regulation, and then you have to be able to prove that you execute on it, and then you test it. I mean it, it’s not that onerous, but I guess to your point, this really is, well, of course, it’s onerous, but you know what I mean. It’s not like you’re not expected to be any more perfect than the industry can be perfect, but you are expected to do all the things that the industry lays out as acceptable practices, particularly in that individual regulatory environment

Mark Houpt:

And in your contracts, there are three words that you’re going to be looking for. It’s industry best practices a hundred percent. Those are the three words that data bank, or anybody else that’s a service provider, is using to say and guarantee to you that we’re following these regulations within close proximity to the spirit of the regulations. And especially until some of them are tested, one couple of them might be tested, then we may have to tighten some things up, or we may get to loosen some things up. But certainly, that’s the going precedent right now.

 

From Ransomware to Cyber Warfare: Current Cybersecurity Challenges

Scott Kinka:

Certainly, let’s take one step back. You mentioned that’s the going concern now, but if we ask you to cut the question a couple of years ago, it would really be about the threat landscape. And, of course, we know the threat landscape is ever-evolving. It’s not going to go away, but is it primarily variations on the same kind of things that we’ve been concerned about since that period of time a couple of years ago, or they’re sort of holding new types of threats in the landscape right now that you and the rest of the CISO community and as well as your customers are concerned about?

Mark Houpt:

All the above. I think that, first of all, yes, ransomware, DDoS attacks, and things like that, the tried and true scenarios are still out there and very prevalent. But what I think has changed a little bit is that there is a little less fear now than there used to be. So 5, 6, 7 years ago, getting hit by a ransomware attack had a good percentage of destroying your business either by reputation or actually destroying your business where you had to shut your doors. We don’t hear so much anymore about businesses shutting because of ransomware, and there’s a reason for that. That’s because a lot of companies, including healthcare, are in one of the biggest attacked environments. Academics, the other, are because they’ve caught up on some of the best practices that use that term. Again, that should have already been in place back then. For example, you can call having immutable backups a security problem by not having them, or you can call it an IT problem just the same. You should have had immutable backups to begin with. And just for those of you who don’t understand what immutable backups are, it’s different than a regular backup. A backup is one in which you take the backup, you’ve got the data, it may be encrypted, but you could pull it back the information back, and the ransomware attackers figured out how to get their ransomware into those backups, into backup. But the immutable backups are ones that have a lot of features placed upon them so that you can see where they haven’t been changed. That’s the key with the immutable piece. But those immutable systems that are putting those timestamps and locking them down so that they can be used are also doing a lot of scrubbing. They’re layering on security pieces to make sure that the bad stuff is not in there. And so again, five years ago, I think there was a lot of fear in it. Now it’s more along the lines of, yeah, it’s going to happen. It’s not going to close my doors. But as we’ve seen with health partners here the past couple of weeks, we may have to turn the web service off, and we may have to turn our business off for a couple of days in order to recover from it, but we’re not closing the doors. So I think that’s a big change in the past couple of years. But let me be clear about this one thing. The threats have not diminished. The threats have not gone away. In fact, what we’re dealing with now more than ever, and the FBI director came out and just said this the other day, and we’re recording this in late February, so you can go historically, look at the week of February 26th or the previous week, the FBI director came out and said, look, what we call advanced persistent threats because nobody wants to call a nation out by name on things like this podcast because you don’t want to draw that type of attention. Even the government doesn’t necessarily want to. But the FBI director came out and said APTs, and in that case, he actually said a country name that you can guess what it was or go look it up. But these people are deliberately placing threats inside of our systems, our infrastructure systems that are essentially going to be time bombed so that in their insurance policy. So if we ever do get in an armed conflict with these other nations, they can punch a button that theoretically could fire it off and impact everybody in the us. Everybody is part of a payment card system or whatever it may be. So, the threats have not gone away. In fact, the threats have increased because they’re sitting there dormant. And the question is, are we, as business leaders, if, as a CISO, going to say, Hey, it’s not impacting me today, so I’m not worried about it. I’m going to ride out my next three or four years in this job, and I’m going to move on to the next one and let the next guy take care of this.  No, that’s not how I look at it. But unfortunately, that’s how some people look at it. As long as it doesn’t happen on my watch, as long as that time bomb doesn’t go off on my watch, then I’m good. FBI director is saying, look, people, get your head on straight because this is a problem, address it, or we’re going to have problems if there is a kinetic or an actual armed conflict that occurs between the nations. Got it. The other thing, and I’ll just say this very quickly, the other thing we have to understand right now is there are things going on in the Middle East. There are things going on in Eastern Europe, as we all well know, and there is literally, and not figuratively, but literally, cyber warfare going on between nations right now. Again, if you go look in the news and look for things, you can see that one nation attacked from a cyber perspective, a boat sitting out in the Red Sea because it was doing command and control for groups that are on land in that area that are doing attacks. So there is literally a cyber war going on right now. It’s under the covers, and we have to be prepared for that and careful, but we don’t see it. So it’s out of sight, out of mind.

Scott Kinka:

Yeah, of all, I mean, you’re a CISO, you live in what if every day, right? Is that situation that you just talked about, the thing that scares you the most?

Mark Houpt:

No, because this is going to sound ridiculous.

Scott Kinka:

You don’t scare?

Mark Houpt:

No. Well, no, I don’t scare. I’ve been around enough, but I’ll be honest with you. I have faith in our military and intelligence systems, and they can handle this. And even if we get taken down for a couple of days, we have ways to get back. Lemme just give you a small example of that, please. It has nothing to do with the military. Okay? Last year, I went on a trip to Alaska. I went all the way up into Vic or Barrow all the way at the top of the state of Alaska, the farthest place you can go in North America in a city, and they had an undersea cable that was cut as a result of some Anchorage-type of things that were going on within two days. Those people had their internet backup because of Starlink. So I believe that we’re residual, we have enough enough resistance, we have enough capability. To overcome the challenges that are in front of us. So that kind of thing is not what keeps me up. What keeps me up is the apathy that we have and the ignorance that we have towards these things. For every large business out there that takes cybersecurity seriously, there are 500 small businesses and medium-sized businesses that either don’t know what to do or choose to be ignorant of it because if they stick their head in the sand and walk away from it, then they don’t have to pay for it. They’re the ones who are developing the software and doing the consulting and managed services programs for these larger companies and for other companies. And I think just like we saw almost ten years ago with the Target situation, the attack is going to come in through the back door, and it’s going to come in through those SMBs. It’s going to come in through that HVAC company that allowed the attackers to get into target, not target themselves. And so we have to be prepared for that. That’s what bothers me is that back door, not the front door.

Scott Kinka:

Okay, so I’m going to put you on the spot. You have a small business, I won’t even say CIO, a small business. There is no CIO in this company, director of IT, or Small business director of IT in front of you. And he’s listening to this episode, and he goes crap, I’m in that group that Mark’s talking about. And you get 60 seconds with him to tell him one thing to do. What’s the one piece of advice that you’d give him?

Mark Houpt:

Don’t ignore it. Document, document your situation. Because most of the time, those 27 to 30-year-old directors its that’s trying to climb the ladder and get to the position where they can be that CIO is trying to learn to talk to the business owners, and the business owners are going, no, I don’t have the money to pay for it. Stop talking about that. So my advice is to create a culture and talk about it. Number one, don’t ignore it. Number two, document your communications and keep them in a place that you have access to.

Scott Kinka:

I get you. It comes downhill. You want to be able to have said what you offered and what you shared your concerns.

Mark Houpt:

That’s the practical advice. The rest of it is this: do what you can with what you have. Okay. I’m a CISO at DataBank, and it’s not going to be any secret to my leadership when I say, look, I could always use more money; I could use more people. But what I do is I create a three to a five-year strategic plan and a business plan, and I say, look, these are my biggest risks, and we’re going to tackle the things that I’m getting support for, and we’re going to tackle the things that we can afford, and we can deal with, and we’re going to risk, we’re going to apply risk to the others, and we’re going to have conversations about those on a monthly basis during our capacity planning calls. And we’re going to address those and make sure everybody’s on the same page regarding how we’re budgeting and addressing these scenarios, including setting it aside if that’s what we need to do. But that’s my key: to have a strategic plan, talk about it, and do what you can with what you have. Don’t just give up because they aren’t giving you the money.

Scott Kinka:

I love that. Yeah. I mean, every Outlook and every operating system in that business, if they have nothing going on from a security perspective, has a local firewall on it on the operating system, and it’s got a patch policy on it. There are, but just make sure that the stuff that you have is as tight as it can be. It is the first start. That’s really, really good advice. I appreciate that. There’s

Mark Houpt:

So many free things you can do. Another piece of advice real quick is, yeah, go. Don’t fall. For all the gimmicks and the latest phrasing of things out there, one of the things I’ve pushed back on the past couple of years is zero trust. Zero trust is just a lease privilege. That was written as a college paper in the mid-1990s. If you apply lease privilege to your environment and effectively do it, and if you do hygienic things, you patch the systems, which is free. If you do the least privilege, which is free, what you’re going to do is you’re going to tell those attackers when they’re knocking on your door, it isn’t easy to get in here. And if you want to fight, let’s have a fight. But most easily, 90 plus percent of the attackers are going to go someplace where when they jiggle the door, the door flies.

Scott Kinka:

The doors are unlocked. Exactly.

Mark Houpt:

And If you keep your door locked the best you can with what you have, they’re going to go away.

Scott Kinka:

Completely. Yeah. I mean, look, a well-organized bad actor has a really good shot of finding some way of doing something, but most are not well-organized. They’re just hitting ranges of IPs and seeing who’s doing it.ng I jiggle the doorknob, and that’s where they’re going to spend their time. So that’s really good advice. I have one more kind of security-related question, and then we’re going to have some fun before we wrap because we’re running up against it. You mentioned earlier a little bit about the case, and I didn’t say this: you did it in your community, but I love it. You were like, sometimes the CISO hides, and I’ve been involved in some conversations. Look, we deliver products in multiple categories from you guys. We have a huge data center in cloud practice. We have a massive network transformation practice, and we have a very big security practice, and we’re running into deals where it’s impossible not to sell all three at the same time. You know what I mean? So we’re even separate in network and security at this point. But here’s the challenge. When we’re dealing with customers who are big enough to have an IT department and CISO in the security department, sometimes it’s very difficult to sell a simple edge security network-based product because of that organization. Do you find the same thing?

Mark Houpt:

Absolutely. It’s everywhere and anywhere there. I firmly believe that in order for CISOs to do their best work, they have to focus on relationships, and sometimes they have to give, and sometimes they have to take. And so, in order for this to go back to our conversation just a moment ago, do with what you have. And I try, instead of hiding in the corner, hiding in the cornfield of Illinois, I try to get out and talk to our people. Could I do it better? Of course, there are probably some people on the data bank team who might listen to this and go, oh yeah, you could be better at that. Yes, I could be better at that.

Scott Kinka:

We all, Mark, can’t we all?

Mark Houpt:

But I’m not the CISO or the security guy who’s sitting with a trench coat and long hair in my mother’s basement, hacking away. Okay, I’m out there. I’m talking about things like this. I’m talking to our own people internally, and I’m not going to say I’m doing politics or making deals, but it’s like I told my director of compliance yesterday. She’s like, Hey, this team’s willing to work, and this one’s not. I’m like, go with the one that’s willing to work. Go with it and get as much done as you can, individually, and gain some reputation. So that team then talks to the other team and says, Hey, the director of compliance was really easy to work with. They aren’t as bad as a legend says. And so then you go, and you work with people as best you can. Shake hands, kiss babies, whatever you got to do, right?

 

Unlocking Security: Saying Yes in a World of No

Scott Kinka:

Mark, there’s a business trope we use internally here that I wonder if it’s applicable here, which is if you’re in the security office, your job is, let’s be honest, generally to say no to people. You have to keep the door locked. So we always say, just find a way to say yes. You don’t have to say yes. Find a way to say yes, but I can’t do that for you because it’s against our policy. I can do this alternative. That alone would soften it, right?

Mark Houpt:

We do the same thing. There are times when we have to say no, of course. In fact, sometimes people come to us and say, please say no because I don’t want to say no. We literally had that two days ago. We had somebody come to us from the network team that said, please say no. And I’m like, why? Do you want me to say no? But I have a rule around here. You say yes, but or yes, if you love it, say Hey, we can do this, but you have to put these controls in place. We could do this if this criteria is met. And so that’s how we operate.

Scott Kinka:

I love that. Well, that’s sage advice for that young director of IT that we were both speaking to earlier as well. I think it’s good career advice. This has been an awesome conversation, Mark. Let’s end with some fun right up against it, and we’ll just rapid-fire these. Alright, so here’s the first one. This isn’t as much fun, but I put it in the fun section. What are you reading right now? And it doesn’t need to be technical. It can be in any, but what are you reading right now that you’d love to pass on?

Mark Houpt:

I’m reading The Integrity Gap right now. Wrapping that up for a college class.

Scott Kinka:

And what’s The Integrity Gap about?

Mark Houpt:

It talks about how people have masks on and they don’t tell the truth in order to save face and things along those lines where people just in society today, they, they’re afraid to come right out with the truth and so therefore they create a gap between what they really think and what they say.

Scott Kinka:

Got it. That’s super interesting. That’s one I’m going to check out and check out. Alright, this is probably the most fun one. Whatever the next pandemic occurs, it’s way more dramatic than this one. So you can insert whatever kind of movies you like, just insert that future and only one application still works on your phone. You get to choose what your end-of-the-world app is.

Mark Houpt:

So I’m a big fan of Hunt for Red October. So there’s got to be an app out there that says one Ping Sili. I’ve got to find a way where I could easily communicate with people, an app that will do that. Something like a signal or something along those lines.

Scott Kinka:

I like it. Now you’re very practical. We’ve had all kinds of answers to that one. I really honestly think the most interesting answer that I’ve ever gotten was flashlight, which is a really good answer. I mean, you still have to power it, but you went right down to layer one there. I appreciate that. You’re definitely a case. All right, the last one is here, and you can answer this however you want. It can be tech, it can be business, it can be sports, it can be fun, it could be in your life, it doesn’t matter. But I want to look back at this episode 12 to 18 months from now. So make some kind of prediction.

Mark Houpt:

Some kind of prediction. I’m a Cubs fan. Cubs win the World Series, but that’s not as good as it used to be, back to the future. So my prediction is probably unfortunate, but the situations that are going on in the world right now that continue to boil will be worse than they are today, and we in the cyber world are going to have to deal with that, and artificial intelligence will be a big part of that.

Scott Kinka:

Okay. Alright, well, that’s a whole episode in and of itself, Mark. So we’re just going to cut it there and leave people wanting more. Maybe we’ll do this again. No, I appreciate it, Mark. This was a great conversation and a great time, and we’re super grateful as I know our whole audience that you were able to give us this time today and share your insights, Sage advice in this episode, by the way, if you’re a director of it or a young CIO trying to figure out or so, depending on which role you’re in, trying to figure out what your path is here. So Mark, I really appreciate the time. Thanks so much for joining us here.

Mark Houpt:

Alright, thank you

Scott Kinka:

Everyone, Mark is the CISO at DataBank. Mark helped, and we’re looking forward to more from Mark and more from DataBank. We’re really excited that you joined us today. Thanks so much, and we’ll see you soon on another episode of The Bridge.

 

TAGS

Share:

Experience the Bridgepointe Way

Start today with a no-obligation consultation with one of our experts.

Table of Contents

Related Blog Posts