Secret CSO: Greg Crowley, eSentire

What's the best career advice you ever received? “‘If you’re not growing, you're dying’. The world changes fast, so always keep learning and moving forward.”

Name: Greg Crowley

Organisation: eSentire

Job title: CISO

Date started current role: January 2022

Location: Connecticut, USA

Greg Crowley is an accomplished executive with over 20 years in Information Technology and Cybersecurity with extensive experience in managing enterprise security and mitigating risk for global hybrid networks. Crowley believes that as a leader in the cyber world, being able to communicate and execute a strategic vision to defend and protect is the most important part of his role. Prior to joining eSentire, Crowley oversaw the overall cybersecurity function as Vice President of Cybersecurity and Network Infrastructure at WWE (World Wrestling Entertainment). He spent over 17 years in various leadership roles across engineering, infrastructure and security within that organisation. Crowley is a Certified Information Security Manager (CISM) and a Certified Information Systems Security Professional (CISSP).

What was your first job? Going way back, my first job was stocking shelves at a local supermarket in Queens, NY. My first job in technology was self employed, setting up small business offices with network and file and email services. Then I was hired as a contractor for a computer integrator and eventually landed a job at WWE as Systems administrator in 1999 when the company was still called the World Wrestling Federation.

How did you get involved in cybersecurity? Starting out in IT and in systems and network infrastructure, security was always part of my job. However, back in the early 2000s, not many companies had dedicated cybersecurity professionals or a security team. Back then, IT did security. As years passed, the need for Cybersecurity to become its own entity became more apparent and necessary.

For me, the big change around this was in 2014 when Sony Pictures suffered a major cyber attack. At that time, cyber attacks on American companies were not occurring daily like they are today. This was big news, and being employed at another major media and entertainment company at that time, it served as a wake up call for the company and me. It was at this time that my career became focused primarily on cybersecurity.

What was your education? Do you hold any certifications? What are they? I have a Bachelor's degree in Communications from Queens College. It wasn't until after college that I went back to school to get an education in computers and networking. I have held many certifications throughout my career, including a MCES, CNE, CNA and others that have long since expired. Currently, I maintain my Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) certificates.

Explain your career path. Did you take any detours? If so, discuss. It was not so much as a detour as a completely different career. Out of college I was briefly in the television production industry but I quickly realised that was not what I wanted to do with my life. I went back to school to become a systems engineer which at that time was in high demand, much like cybersecurity professionals are in demand today. I received my education, got certified and started work as a systems administrator.

I think this is a pretty common path for many of us in the security industry, starting in general technology and systems management, and then moving into security. Having that technical background is a great foundation for your awareness, and it helps you on your journey to being a CISO. The hardest transition for me was to go from working in a hands-on role into management.

Was there anyone who has inspired or mentored you in your career? I gain inspiration from many sources, but mentors are something that have been sparse for me. One person in particular always comes to mind, though. He came on as our new department head and my direct manager. At that time, changes scared me and I was resistant to moving higher up into management. He really helped me believe in myself. It was under his leadership that I was able to grow as a professional and understand what it means to be a leader myself.

What do you feel is the most important aspect of your job? It’s building relationships. You have to spend the time developing relationships and building trust throughout the organisation that you work for. This will ultimately determine if you succeed in your role, which is to collaboratively manage and reduce risk for your organisation over time.

What metrics or KPIs do you use to measure security effectiveness? I think this is a pain point for CISOs and security leaders as there is no agreed upon set of metrics or KPIs within the industry. You have to work on this for yourself, based on your knowledge of the company and the industry.

To achieve this, you have to know what the company needs. I like to start by understanding the company's risk appetite and risk tolerance. Once that is established, I identify the threats to a company and track risks in a risk register. With this in place, I can measure the risks by likelihood against their impact, and then use this data to report on progress.

Each program within your portfolio will also have a measure of effectiveness. For example, for Security Awareness Training, you can have a metric for Phishing Resilience which compares the simulation numbers of phish clicks versus the number of reports. For Incident Response, you can track measures like Mean Time to Detect (MTTD), Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC). By looking at these metrics over time, you can track your performance and demonstrate what good looks like back to the business.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Every security role is a challenge to staff. eSentire is a bit different than most when it comes to employing security professionals. We are the company you come to because you are having a hard time finding or retaining security personnel. For most companies, it is not cost effective or possible to build and maintain an internal SOC that is manned 24x7 with security experts, they rely on us to provide that service for them. The skills shortage has amplified this, but for us, we are fortunate to have a great pipeline. As a top security vendor we tend to attract quality security talent.

Cybersecurity is constantly changing – how do you keep learning? There are a lot of great security podcasts out there, for me they are the best medium to learn and stay ahead of the curve. It’s also good to attend conferences and network with peers.

What conferences are on your must-attend list? I like the Gartner Security & Risk Management summit for thought leadership and RSA for meeting with anyone and everyone.

What is the best current trend in cybersecurity? The worst? The best trend is the shift away from traditional alert-chucking Managed Security Service Providers to being value added MDR (Managed Detection and Response) providers. Prior to joining eSentire as their CISO, I was a customer of theirs for years, but it is only recently that the value of MDR is being more widely recognised. For my money, MDR is a must have.

The worst trend I see is the ever-increasing number of privacy and data protection regulations. Their intent is great but there is no standardisation and an impossible number of them to keep up with. My fear is that too much time will be spent on proving compliance, which may reduce the focus on actual security.

What's the best career advice you ever received? “If you’re not growing, you're dying”. The world changes fast, so always keep learning and moving forward.

What advice would you give to aspiring security leaders? Never sacrifice your integrity. Build relationships, provide value and earn trust. The best leaders not only succeed in helping their organisations reach new heights, they genuinely care for their people and understand the privilege of being a leader.

What has been your greatest career achievement? Watching the people I mentored grow to become flourishing security leaders.

Looking back with 20:20 hindsight, what would you have done differently? I would have realised sooner when it was time for me to move on.

Originally posted on idgconnect.com