Editor's Note: At the time of publication, Jason Murphy's title was Director of Information Security. It has since changed to VP of Information & Cyber Security. Congratulations on your promotion, Jason!
Recently we had a conversation with Jason Murphy, Director of Information Security at St. George’s University. Jason has over 20 years of cybersecurity experience and great insight to share with his comrades in security.
As we round out 2022 and think about the new year that approaches, here are five takeaways from our discussion that you can take with you into 2023:
- Invest in the right tools…
Ensure the tools you invest in have some level of integration with the tools already in your stack. When evaluating technologies, Jason asks himself, “How does [this tool] interact with my core technology? Can this help my team learn, or do I have to bring in experts?” Additionally, invest in tools that have a smooth learning curve for your team to ensure high adoption amongst your team. Lastly, when evaluating and investing in tools, see it as a long-term technology partnership, so you want to be sure that you believe in their trajectory and roadmap.
- …So you can make time for non-technical security work.
Jason describes “non-technical security work” as developing and rolling out security policies while working and collaborating across teams to ensure the business is more security aware. Building relationships within the business has two benefits for security practitioners: 1) you understand what people across the company do in their roles, and 2) people are more likely to come to you when something is wrong, and you can work together to find a solution. In addition, Jason says, “I want folks to naturally think of security. People are busy doing other stuff, but if you get one or two of those wins, [they realize security folks] aren’t so bad.”
- Prioritize what affects the business and work cross-functionally.
“Outside any immediate security alerts, we try to prioritize what we can accomplish and what we can establish without interrupting the business,” says Jason. Focusing on a) what both the security team and the business wants to accomplish while b) taking into account reducing risk and friction of others trying to do their jobs will allow you to prioritize what work to do naturally. And don’t underestimate the work of getting buy-in from other people across the business; this will help them understand what you’re doing and why you’re doing it. Security is a team sport, and collaboration is key.
- Don’t just look to hire people who meet all the skills.
Not only does Jason look for people who can adapt to new knowledge quickly, but he also looks for those who may have skills that he refers to as “skills adjacent” (i.e., skills that exist elsewhere to what you were primarily looking for). For example: Maybe a candidate doesn’t have experience working as a security analyst, but they have data analytics in their background. In Jason’s eyes, their “skills adjacent” would translate well because looking at alerts is like looking at and understanding data. Also, investing in tools that lower the learning curve enables those with less experience to get set up for success.
- Show value to senior leaders by focusing on something other than typical metrics.
When showing the value his team is bringing to the business, Jason tries not to demonstrate typical metrics such as “how many breaches stopped” because they can be misleading. Instead, he focuses on how security has helped the business and how often his team got involved in processes. Again, he brings it back to collaboration: “It’s all about working with other units. How are we helping other teams? I really love to lean into how we help other teams with our tools and our knowledge.”
Throughout our conversation, it was apparent that Jason prioritizes the human element of security. From skill building to collaboration and teamwork, you can’t get very far in security if you work in a silo.
For more takeaways and insights from Jason, check out our entire conversation.