Mark Potter - Cybersecurity Expert's Top Insights
Critical Stats
LinkedIn: Check out his profile!
Started their cybersecurity journey in: 2004
Most passionate about (in cybersecurity): AppSec, Automation, and AI. He is also passionate about data modeling and architecture associated with the capture, use, analysis, and dissemination of security event log data.
Favorite zero-day: A toss-up between EternalBlue and log4Shell
Favorite song: “Amour” by The Warning (live at the Pepsi Center CDMX in 2023)
Introduction
With over 30 years spanning IT and cybersecurity, Mark Potter offers deep expertise, including two decades dedicated to information security, governance, risk, compliance, and data privacy. His diverse background ranges from startups to Fortune 500 enterprises, marked by 15 years in CISO leadership roles. He also brings significant experience as a data warehouse architect (6 years) and a software developer (5 years). Needless to say, he knows his way around the tech ecosystem!
Mark is a cyber vanguard!
We selected Mark because he’s a cyber vanguard! I first met Mark at the FBI CISO Academy. He and I hit it right off, as he is very personable. He is also highly competent, dedicated, and an admirably self-motivated individual. How self-motivated? Well, he holds over 35 certifications in security, privacy, and risk management. In contrast, most professionals in the field will have at least one or two relevant certifications, not 35. What this reveals about Mark is that he has a deep-seated desire to learn and continually grow. It underscores his insatiable curiosity and genuine passion for mastering the intricate landscape of security, privacy, and risk management, making him an invaluable asset and one more than worthy of our highest distinction, a One2 Watch cyber vanguard (aka… the best of the best)!
Without further ado, we asked Mark our standard set of 5 questions to rule them all, and here are his responses:
Five questions to rule them all!
1. What is the biggest problem we are dealing with in cybersecurity?
I think the biggest challenge we face continues to be our susceptibility to phishing and other social engineering attacks. The broad availability of AI tools has significantly lowered the bar for generating compelling phishing content, including realistic branding, tone, and formatting. Messages, phone calls, and videos can easily be designed to exploit human susceptibility to psychological persuasion and manipulation. AI tools also facilitate code generation, which can allow a criminal to leverage automation and to quickly change their messaging style and hosting providers when one of their campaigns is flagged.
2. How can we address phishing and other social engineering attacks?
Focus on building genuine interest around the topic of cybersecurity and use storytelling to convey how a particular event affected people’s lives. During a medical appointment last week, my doctor spent the first few minutes talking to me about his recent dinner with someone who shared fascinating details about how Stuxnet was used to set back Iran’s nuclear weapons program in 2010. I mentioned that Stuxnet was introduced into the air-gapped Natanz facility through the use of a USB drive, and that USB drives ‘dropped’ in parking lots is a common social engineering attack vector that has impacted others, including our own US Military. I asked him if he had heard of “Sandworm” (named after the Russian state-sponsored hacking group known as the Sandworm Team) by Andy Greenberg, and proceeded to tell him a story… he was enthralled and wrote down the name of the book. Through storytelling, we not only made a connection around a common theme, but we also discussed how the attacks happened and the people and services impacted; storytelling made it personal and memorable. We should strive to make cybersecurity awareness more than an annual checkbox exercise.
Here are some concrete ideas:
Cultivate a community of interest and engage with people who bring questions, issues, and stories to the community.
Post news about current cyber-related events that could affect people’s lives at work or home.
Establish communication pathways and mechanisms for employees to report suspicious emails, text messages, or phone calls.
Use an email security provider with strong spam, phishing, and malware detection capabilities that also provides embedded visual cues to assist employees with making a decision related to that email content.
Use vendor browser isolation technology to ‘open’ the email on the vendor’s infrastructure, rather than on the employee’s workstation. This transmits an image of the email content while triggering any malicious payload safely on the email security vendor’s purpose-built infrastructure.
Require long, unique passwords.
Provide password vaults to employees.
Deploy phishing-resistant multi-factor authentication.
Train people on what to do when they think they may have fallen for a phishing campaign (again, provide home life examples to make it meaningful and personal).
Pro-Tip: When conducting phishing simulation campaigns at work, refrain from punishing or shaming those who click on the simulated phishing emails. Instead, send a broad communication highlighting some of the red flags that could have tipped someone off that the email was a phishing email. To help those who require additional awareness training, consider conducting one-on-one sessions.
Like our content? Let us do the same thing but for you. Interested? Let’s chat!
3. What are three actions a CEO can take to protect their company from cyberattacks?
Prioritize, fund, and support security initiatives and broader long-term efforts to evolve and mature the security and privacy programs.
Evangelize security. It isn’t a cost center; it is a business enabler. Strong, independently vetted security programs help to establish trust with employees, customers, partners, and shareholders. The trust, especially with customers and partners, will open up business opportunities.
Participate in tabletop exercises and observe October's Cybersecurity Awareness Month. If the CEO is deeply engaged in these activities, it sets the tone that security is important and needs to be prioritized.
4. What are the three best resources for learning more about cybersecurity?
Use certification programs as a means to ‘gamify’ learning. I try to use at least three resources (where possible) for each certification exam. Different authors will have different strengths and focus areas. Using three resources helps to reinforce the material.
Embrace the audio learning revolution. As an auditory learner, I leverage recorded classes on various platforms, purchase Kindle books with text-to-speech enabled, and use a PDF reader on my phone that reads white papers, standards, and NIST publications aloud at a speed I can configure. This lets me attend a ‘class’ while driving somewhere, on a plane, or walking on my treadmill.
Employ AI. I'm a big fan of large language models (LLMs). Despite the occasional hallucination, I can't overstate how much research time they've saved me in gathering, distilling content, and generating code.
5. What is one piece of advice for those wanting to pursue a cybersecurity career?
I strongly recommend embracing a continuous learning approach in cybersecurity. Here’s how to do it: Start by establishing a strong foundation in the basics, then expose yourself to the broader list of subdomains or specializations to find a niche you are passionate about. Once you find your niche, develop deep expertise in that area, but always stay aware of changes in related fields. Remember, cybersecurity careers often follow a non-linear path, and every experience provides a unique perspective that will enhance your journey. Stay curious, step outside your comfort zone, and never stop learning!
“I think, therefore I am… and I am a fan of this interview!”
- You
