Greg: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Mariia Erokhina joins us today. She is a CISO-level security leader known for designing security risk and governance operating models that scale with the business. Mariia has led and built global information security functions across fintech and highly regulated environments, delivering programs aligned with ISO, GDPR, and other regulatory frameworks. Her work focuses less on individual controls and more on creating durable operating structures where accountability is clear, decisions are executable, and security, engineering, and business objectives reinforce each other. Mariia, thank you so much for joining us today.
Mariia: Hi, Greg. Thanks for the invitation. I’m pleased to join you today.
Greg: And thank you for the restart. I don’t mind saying I’m always very open on this podcast. We had gone probably about four or five minutes and then we had internet connection degradation and then the recording stopped. And so for us, we’re going to do like a Groundhog Day moment here and just kind of redo stuff again. So Mariia, we’d love to hear about your history, how you got involved with cybersecurity, and then just bring us all the way up to where you’re at today.
Mariia: Yeah, thank you. So actually, I started in cybersecurity when I was sixteen. I picked this field when I was just in school because actually I had to choose the university and to choose the future profession. It’s hard to pick correct when you are so young. At the same time, I had really good professionals around me to look at and to pick this profession. So actually, before I was sixteen, I tried myself in some development, in IT administration, and so on. But actually, I understood that my profile belongs to cybersecurity. It just came to me.
So after that, I started the university. It was five years over there, a lot of things. And over there, I learned that cybersecurity is somewhere in between of some fields. So it includes legal compliance, all this stuff, also a technology deep dive as well. And this grew me up significantly.
After that, I was working in a few banks and in a grown-up corporation, in small ones, and it built me as a professional who really wants to improve the business and improve operations through security. So security is just a part of the business from my perspective.
Greg: Greg, are you with us?
Greg: Oh, I was waiting for you to continue.
Mariia: Oh yeah. So actually this is just a short intro for my field.
Greg: Okay. And the reason why maybe I had that deer in the headlight look is like I’m still troubleshooting. And it, I have been troubleshooting as soon as you started talking. As soon as I went to a single screen, had the same issue where it’s like I started to lose what you were saying. And so here I am troubleshooting.
This is going to sound weird. I know you can appreciate it as a tech professional. I think, I don’t know why this is the case, but what solved it apparently is that I went back to the two screens. Because I had you on the solo screen, and as soon as I did that, everything started to degrade. And so when you stopped talking, you were so still, it’s like I thought, oh gosh, I lost the internet connection again. And then you said, Greg, are you with us?
Fantastic. At least it proves that we are live. Absolutely. And unafraid to talk about mistakes.
But this is really weird because, again, like I said, on my side, if I went to a single screen with just you right now, it would die. But here, everything is flowing very well.
And we’re going to talk about stress a little bit later in the podcast. But I have to say these sorts of things that come up, and it comes up in our field just in general, but anything that comes up that’s a surprise can be very, very stressful.
And I’m going to take that as a segue into our first question I really wanted to talk about. We were talking about in the intro how you really talk about focusing on creating durable operating structures instead of individual controls. You know, in our little example here of having an issue suddenly come in surprise, I can see that that has a tie into security. Because a lot of times if we get too far into the weeds with individual controls, we miss the actual big picture of what’s happening.
So here being so far into the weeds as far as individual controls and what’s working, what isn’t, with regards to this, with regards to ignoring the big picture of trying to get the podcast going. So I’d like to find out, I’m trying to figure out what a healthy podcast platform looks like, but from a security program in general, what does a healthy information security operating model actually look like in practice?
Mariia: So from my perspective, security does not exist in vacuum. This is the core point, that security is part of the quality of the business and the business processes. And that is the main key thing that I used to using my work.
So integration of the security into business processes is the core thing that works, instead of just checklists in chat, instead of just control some very small separate pieces. It is required to see the full picture.
And it means that I need to focus on how everything operates, not how something is listed. And I clearly understand that there is no one size fits all processes.
I worked in identity and access management implementation, and my customers, they used to say that we have some very standard process, like onboarding, offboarding, change of the role, and so on. But I said, oh, you know, it is so different between the organizations. No similar processes.
And actually, this is the core thing, that we need to tailor security to ensure that this works perfectly for the exact company, not for everyone.
Greg: We get instances where we have auditors come, or with financial institutions, examiners as well. One of the things that I’ve heard constantly, and it’s probably one of the statements that really bother me, is when a financial institution might say something like, well, we’re good enough because the auditor said we’re good enough with what we’re doing.
And that gets almost to like this checkbox, checklist compliance thing, looking at individual controls. Your controls are in place, but they’re not looking at the overall big picture, as you say, the operating model of the security program in general. And they’re trying to take a one size fits all approach to their controls, to their audits, and to their exams.
So there’s really a difference between what we would term like audit-ready and security-ready. What are some of these differences? And probably more importantly, why is this important?
Mariia: So a very interesting question, and I really like it. So from my perspective, you are fully right that audit checks existence of the control, but they do not check the quality of these controls. Because one of the same control we can implement in so many ways. And actually, this is the thing that is missing.
So the standardization that we use, so standards, frameworks, and so on, this is a good thing because it’s really helpful. But at the same time, it depends on the organization and what they focus on.
If the core goal of the organization is to pass the audit gracefully, this is one task. And if you want to ensure real security, this is the other task. And actually, I understand that if you build the real security, you most probably would pass the audit successfully.
So of course, you need to follow some rules, but it is easier than to follow the approach that yes, we go to the audit and we need to pass it gracefully and this is the only point that we want.
So when organizations try to achieve certification and equal these to real security, for me it is a big question on do we really understand what exactly are you doing. Because it feels like a fake for me as a professional, of course.
And I clearly have an example from my practice that shows the approach of paper security and real security. One day I was on the meetup, and one manager impressed a lot of people, to be honest, with the explanation of how mature is the process that was implemented in his organization. It was vulnerability management. It was nice schemas, good explanation of how it works, what tooling is used, automation everywhere, lack of noise because of the reduction of this noise with the specific tools and orchestration. Tasks are in Jira. Everything is all good and just works.
I was impressed. And it happened that in one year I became a manager in this exact organization. And immediately I recognized the page in the conference with the description of this process. And I said, oh, so we have some mature process over here.
Okay guys, team, please explain me what’s going on. And this team showed me the process. Yes, tools were in place, documentation was nice. At the same time, tasks were in Jira, but no prioritization, no remediation. Does it worth it? Of course not.
From my perspective, it is waste of time and waste of resources.
Greg: Security theater, right? That’s like security theater.
Mariia: Exactly.
So actually, it was a lack of authority of ex-manager to implement this stuff properly. And I would not say that it is blame for someone, but it is really a theater. And I don’t really appreciate this.
So for me, even if the process is not perfect, if it’s not that much mature, but we need to achieve the goal. And the goal is always real security.
But to address the audits, to address some controls, sometimes we really need to document it in a proper way on how it is expected. And we sometimes just accept these rules. But it depends on the goal of the organization.
Greg: Well, and therein lies one of the big challenges. What is the ultimate goal of the organization? Because as you touched on before, it can be between passing audit and real security.
I completely agree with you. It’s like if you have a good solid security program in place, you’re going to right out the door meet eighty, ninety percent easily of any one of those framework requirements out there. And the rest is just more aligning with probably different acronyms and all of that.
But the problem comes into play, we know that as security professionals, but when you have executives that really just care about the audit part. I think that part of it comes down to them understanding that they need to have ownership at the executive level with regards to anything security.
It’s almost as if sometimes you run across the attitude of like they just want security to go away. How do you break through this? How do you convince them that taking ownership of security, not as an audit pass end goal, but rather as getting to a real security program, is the correct business decision to make?
Mariia: So actually, this is one of the hardest pieces in CISO work. Because actually what I notified is that the approach is really different because of the size of the organization and the maturity of the organization.
For the corporations that implemented security and invested in security for years, for decades even, it is totally normal for executives to pass through the training, through some sessions with the security professionals to explore how exactly influence the business. And they understand that they are responsible for security.
They pay for security for the professionals, but at the same time, it’s them who identify the goals, who identify the priorities, and so on.
At the same time, for mid-size organizations, their approach is totally different most of times. Executives do not want to be bothered with some trainings, including just regular awareness sessions. And implementing even this sometimes is one of the things that is a big win for CISO in this organization.
And let’s look at the structure of the organization. For me, org structure means a lot. It tells you a lot about the organization.
For corporations, CISO is a board member. It is the person who really acts on the C-level. But for mid-size organization, CISO can be a solo specialist, just a specialist. Or it can be an operational lead who reports to CTO, CIO, COO, or some other C-level executive.
And it differs a lot. And the main point is that I understand that in such organizations, CISO mostly works on the operational level.
And what I recognized is that mostly CISO people under C-level, so C minus one, mostly start to have a high demand for security. On the one hand it is strange, because we used to say that for executives, for C-level, it is their skin in the game, because it is their reputational impact, it is their approach.
But later we can see that directors, head of functions, and so on, they really want security. They have demand for some specific questions that they face in their operational life. And that’s why they start to work with security function.
Greg: Well, certainly the head of security, the CISO, or however we want to pronounce it. I heard once this saying, and I think it speaks so much. It’s like if you don’t report to the board or the C-suite, like the CEO, you’re a chief of nothing. The C means nothing there.
To your point, you were saying it becomes more of an operational role. And I wonder, there’s a lot of challenges that we have when we’re talking about scaling organizations, particularly like startups that then start blowing up.
And they may have had one person in charge of security early on that was more operational than everything. But I would think that there’s probably some challenges from scaling up and trying to reach to that level where the security officer becomes more of a strategic partner in the executive, not just the operational role that they had before.
Mariia: From my perspective, that’s what I described actually in my post in LinkedIn. It was about whom exactly we call CISO.
So over there, I mentioned that through my career, I saw three types of CISO. Solo CISO is the person who is a solo specialist, but it is required to have a CISO in the organization because of some regulations, auditors, auditors, right?
Greg: The auditors need it.
Mariia: Exactly. And the person just gets a title of CISO, but this is a solo person who proceeds to work on everything. And of course, it’s typically more like for compliance reasons and some programs that this person is capable to drive.
The other type of CISO that I see is just head of IT security, head of cybersecurity, or someone who really drives all these operational stuff related to cybersecurity. And these people are mostly hands on and organize all these processes and structures and so on.
And these strategic partners for business, they are rare. So actually according to all the reports that we see globally, how many CISOs are in the board, mostly for corporations, for mature organizations, very few startups include CISOs over there. They just do not have enough demand.
That’s why I speak mostly about influence on the operational level, because it is much more applicable for the market.
Greg: Well, if you were to advise someone who was wanting to be eventually in their career a CISO, and let’s just say that of the three, we’re talking about one that actually is at the proper strategic level, board reporting and all of that.
CISOs come from various fields, but I would guess a majority come from technical backgrounds somewhere in IT. What advice would you give someone that wants to aspire to that level?
Mariia: I would say that it would be good for everyone in cybersecurity to work on the soft skills, on the communication. Because actually security people are supposed to be really good communicators. You need to convince people.
And speaking about communication with executives, most of them do not really understand the technical language. So you need to work with as simple concept as possible. You need to explain it through the value for business.
Simplify things as much as possible, like for children. One of the CEOs with whom I work, he really asked to explain him everything like for five-year child. And actually, I’m really grateful for this request because this brought me to learn how to express everything metaphorically.
Greg: And when you said that, that was exactly what I was thinking. If you can’t explain it simply, maybe you don’t understand it completely.
Mariia: Yes, totally agree.
Greg: And another thing you touched on, it’s okay to be humble. It’s okay to make mistakes. You’re going to make mistakes. Don’t let that consume you.
Mariia: Yes, security people are often treated as a threat. People feel insecure. So in my teams, I try to build a really friendly function. Even in case of an incident, we would not punish anyone. People make mistakes. We are here to fix the problems.
Greg: We also need to get away from it sometimes. So what do you do to decompress from the stress of everything cyber?
Mariia: First of all, I accept that I’m also a human. And I rely on my team. Together we can fix almost everything.
And for distress, I walk a lot. Movement helps. Walking reduces stress.
Greg: I think I might go out and take a walk after this. So what kind of future plans do you have?
Mariia: I have no idea how I see myself in five years. The world rapidly changes. But I think security should be a changer for the business. It should have more influence on operations.
If you need to implement security controls, you need to build processes first. For example, if you need security due diligence for suppliers, you need a procurement process first. So I’m really good in building processes, and I think it can be some role related to this.
Greg: Mariia, thank you so much for joining us today and for your patience as we navigated through some of the issues. My big takeaway is that we’re all human.
Mariia: Thank you so much, Greg, for the invitation. Maybe we can chat someday about another topic as well.
Greg: I would love that. And everybody, stay secure.