Cyber Savvy: Schooling Hackers and Safeguarding Education with Brian Markham, CISO at EAB

Welcome to the latest edition of Cyber Savvy, a blog series showcasing insights from top cybersecurity professionals. In each edition, we engage with diverse security leaders to uncover fresh perspectives on emerging threats and trends. These interviews highlight their unique career paths, the challenges they’ve tackled, and the milestones they’ve achieved.

In this article, we chatted with Brian Markham, CISO of EAB. Brian has worked in security for over 20 years, spending much of that time in higher education and Big Four consulting. Aside from his day job as a full-time CISO, he serves as an advisor to multiple technology start-ups, manages security and IT for his wife’s businesses, and volunteers to help with technology at his church. Here’s what Brian had to share about his challenges, goals, and the future of cybersecurity.

Can you tell us about EAB?

At EAB, we’re all about making education smarter and communities stronger. We partner with over 2,500 institutions to create real change using data-driven insights and customized solutions. From kindergarten to careers, we help leaders and practitioners make progress in key areas like enrollment, student success, institutional strategy, data analytics, and DE&I. Every partnership is unique, and we tailor our research, technology, and marketing expertise to meet the specific needs of each team—and the students and employees they serve.

What are your biggest concerns/challenges as a CISO?

I’ll preface by saying that I really like my job and that there’s nothing else I’d rather be doing right now. With that out of the way, there are some aspects of the job that are not optimal, not just for me but for many people I know who are in a CISO role.

The toughest part about being a CISO is that you are responsible for things that are outside of your control. When security incidents happen, all eyes do not go to infrastructure teams, CTOs, or software engineers—they go to the CISO. There are outsized expectations on the CISO in that they can or should be able to control the security outcome of every technology decision within an organization. In reality, tech stacks are all managed differently with different decision-makers, budgets, roadmaps, underlying technology, tradeoffs, and risk appetites. This results in complexity that is well outside the control of one person or one team. To stay grounded, I talk a lot about “controlling what you can control” and not getting too stressed out about the things that are out of my control. After all, this is the job and if I’m going to get stressed out about things that I can’t control, I should probably get a different job.

What new challenges do you anticipate in the coming year?

I’ll be watching how economic indicators change due to new policies enacted by the new presidential administration. There have been a lot of proposed changes and I’m not sure what will actually happen and how those policy changes could impact our customers and ultimately our business. Somewhat related, there will be new leadership at CISA and it will be interesting to see how that pans out and what it means for the cybersecurity landscape.

I think the job market will continue to be challenging for job seekers, and any organization that is hiring will likely see very strong candidate pipelines. There are a lot of talented people looking for work, and someone will be very lucky to hire these people.

How is your team adapting to the evolving threat landscape? (advances in AI, etc.)

I put AI risks into two separate categories: (1) the expansion of attack surface as a result of AI features and infrastructure, and (2) attacks that will be improved by or enabled by AI. With respect to attack surface expansion, my team and I have been spending a fair bit of time trying to understand the new AI features that are being built into our platforms and how those new features could be abused. This has meant more threat modeling, meetings with engineering, and research about the best way to pressure test these features.

With respect to attacks that will be enabled by AI, I think I am less worried. My reasoning is that people are already attacking us and they are attacking us a lot. Giving the attacker AI tools doesn’t necessarily make the attacks more effective, for now at least. Maybe I will be more concerned when AI can write functioning, destructive malware in the time it takes to make a funny cat picture but as of now, I don’t see AI tools in the hands of attackers as any more concerning than what they are already doing.

What do you consider your most important success metric?

There are a lot of ways to judge CISO performance and there’s no one way or best way to do it. It’s obviously going to depend on the organization, its mission, and the objectives of the security program. How about something that’s universal like employee retention? If security professionals are staying in their jobs, learning new things, and taking on new responsibilities, you could argue that the CISO has created a good environment for people to come to work. I consider this to be one of the most important aspects of my job because our security program is the people who work on it. From mid-2020 to mid-2023, I didn’t lose a single team member while also growing the team. I’m proud of a lot of the things that we’ve accomplished during my time as CISO at EAB and that accomplishment is at the top of the list.

What are your three biggest goals for the coming year?

I want to continue to learn about AI, cloud security, and data privacy. I see those areas evolving the most and I want to make sure I am keeping up with the latest research and information. I’d like to continue to write my newsletter on a somewhat regular basis and expand on what I can create in that venue. From a day job perspective, I want to make sure that we completely implement all of the great tools that we’ve recently been able to purchase and show the value back to the business. From a personal perspective, I’ve been able to lock into some good, healthy habits since the pandemic. I’d like to continue to keep playing sports, working out, and maintaining healthy, sustainable eating habits.

What new trends in cybersecurity excite you right now?

There have been such exciting advancements over the last few years that have really helped my team get better at what we do. I’m excited that we’re able to do some things now that we couldn’t do 10 years ago. Advancements in cloud security and data security have given us amazing visibility into our technology environments. Having a complete and up-to-date asset inventory is no longer a pipedream: you can do it and it won’t break the bank. Finally, I’d be remiss to not mention Abnormal; we have very capable and effective tools to eradicate and manage many email-based threats.

You’re never going to be perfect when it comes to security, but you can always get better. I’m really excited about what I can do if I bring all this data together in a meaningful way. I don’t have all the answers there yet but there’s something exciting about not going in with any preconceived notions and seeing where the data takes me.

I’m also excited about the prospect of going passwordless. I’m starting to research this more and think through what a deployment in my organization would look like.

Are there any security leaders besides yourself that you look to for guidance?

I am inspired by my peers across the industry every day. The people that I annoy the most are probably Anne Marie Zettlemoyer and Chris Castaldo. They’re my sounding board for crazy ideas and sanity-checking things that I’m seeing in my day-to-day work. In addition to them, Trey Ford has been incredibly helpful in providing guidance from a product security perspective. Rachel Tobac has helped my team and me build out our offensive phishing program and our approach to security awareness. I’ll also name-drop Cathy Hubbs, Helen Patton, Gerry Sneeringer, and Kevin Shivers, who are or were CISOs in the higher education community and have always made time for me and continue to make time for me throughout my career.

I’ll also add that I look to my team at EAB for feedback about how I can be better at my job. I think every good CISO probably got that way by listening to their team because no one can do this job alone and they know me, my strengths and weaknesses, better than anyone..

What advice do you have for other CISOs or aspiring CISOs?

If you’re aspiring to be a CISO, first of all, I think that’s great. There is a lot of negativity out there about the CISO position and I don’t think we, the CISOs of today, do a great job talking about how great it is to hold one of these roles. My advice for aspiring CISOs? I think it’s important to understand all security disciplines. Once you’re a CISO, you don’t have the luxury of saying that something isn’t your area of expertise. For example, I came up as an auditor and consultant. I had to learn about pen testing through training classes and soaking up as much as I could from the people that I was around. Same with incident response. It’s a lot of work to become knowledgeable across all security disciplines but it’s worth it. Not only will you be better at your job but you will be able to more authentically connect with your team members who are experts in their specific discipline.

I’d also say to not forget where you came from. This is honestly something that I think about every day—25 years ago I was working on a helpdesk. There’s something really cool about knowing you’ve made it to the top of the career ladder while being humble about how you got there and willing to do anything to help your team succeed. Staying grounded allows you to see more clearly and to boost the people around you. You can have some really bad days in this job and when that happens, it’s your team that will pull you through 100% of the time.

One last thing: It’s incredibly important to network and meet as many people as you can. You won’t click with everyone, but you will with some people and those people can become an extension of who you are as a leader. If you surround yourself with good, ethical, knowledgeable people, you will think about the bar that you collectively set for one another every day. Being a CISO can be a lonely job and having a network of peers that you can lean on is essential.

Want to learn more from Brian? You can connect with him here.

In our next Cyber Savvy segment, we’ll feature another leading security expert to share their views on the ever-changing world of cybersecurity threats. Whether you’re a seasoned CISO, an aspiring analyst, or just curious about industry insights, this is a conversation you won’t want to miss.

Want to be featured yourself? Contact us here and we’ll be in touch!