Mary Rose Martinez. PHOTO: Cybercrime Magazine.

CISO Report: Cybersecurity. It’s All About The Culture.

Marathon Petroleum CISO Mary Rose Martinez gives back with advice for small businesses

David Braue

Melbourne, Australia – Apr. 6, 2023

The CISO Report is sponsored by KnowBe4.

Security tools may be important, but phishing simulation programs are “paramount” to giving employees the skill to detect phishing emails, the CISO of one of the world’s largest petroleum companies has advised while warning security executives not to get so focused on security tools that they forget to secure the human element.

“The frequency with which we conduct such programs is in direct correlation to the efficacy of the training, as well as the level of sophistication,” Mary Rose Martinez, vice president and CISO at Marathon Petroleum Corporation, told Cybercrime Magazine.

“The majority of statistics say that the majority of breaches involve the human element, and the majority of those breaches of the human element have to do with phishing,” she continued — noting that organizations must continually reassess their phishing training and adjust the content to reflect ever-changing attack patterns.

Rather than running training once at a particular level, Martinez said, “as the organization gets better, we need to increase the level of sophistication of the phishing emails.”

The goal, she added, is to “simulate what would have happened in real life and what changes are occurring… to continue to ensure that our organization stays adept and more aware of what the threat landscape looks like.”

“We can never be complacent when it comes to cybersecurity training and awareness.”

That threat landscape continues to change daily, with ransomware and other phishing-borne attacks continuing to challenge businesses to improve their security technology and reinforce their employee security training.

That training — which is fueling a market expected to be worth $10 billion annually by 2027 — is essential to building and maintaining an enterprise security culture, Martinez explained, noting that such a culture is developed in stages as “not something you can necessarily measure, but something we essentially observe.”

“It starts with knowledge” gained through cybersecurity awareness training, she said, then moves into acting on that training — actively and consciously applying learned techniques for identifying phishing emails — and ultimately “unconsciously acting on the training, where you’re basically just living it.”

“You go from knowing to acting to being,” Martinez said, “and when you hit that ‘being’ [phase] that is when you really have embedded it into the culture of an organization.”

“In my mind,” she continued, “culture is when you’re unconsciously living the concepts and the precepts that you were trained on.”

When culture crosses the organizational boundary

For all the importance and complexity of training employees within the business — Martinez and her team have nearly 18,000 employees to focus on — she believes the need for security culture extends right across the industry, both demanding a level of commitment and enabling a degree of collaboration that is simply not found in many other industries.

“I have been in so many roles throughout my career,” she explained — her resume includes decades of energy sector experience with the likes of Halliburton and Shell — “but the cyber community is one that crosses borders, organizations, sectors, public or private.”

“It’s so collaborative,” she continued, “and that’s one of the things I really enjoy about it. I talk with my peers, and it doesn’t matter whether they’re a customer or competitor, because we’re all in this fight together. And that’s one of the things that does give me hope, is the community that is striving to combat this threat.”

And while Martinez has access to the substantial resources of a petroleum giant with $177 billion in annual revenues, she knows that raising the cybersecurity bar also requires the engagement of the millions of smaller businesses that must also foster their own cybersecurity culture.

And where larger companies may have dedicated cybersecurity teams with employee awareness training and phishing-test specialists, she said, smaller businesses need to compensate by tapping the many resources available to them — such as CISA’s Cyber Guidance for Small Businesses — to build an effective cyber culture and capabilities despite their relative lack of resources.

Indeed, building a security culture is the first item on CISA’s list – which, like Martinez, calls for regular communication across the organization, “meaningful” security objectives aligned with business goals, and the positioning of security as an “‘everyday’ activity, not an occasional one.”

“They take the five domains that we know about — all the controls that anybody could potentially do to protect themselves — and boil it down to some basic blocking and tackling,” she explained.

Ultimately, businesses of any size need to appraise their cyber exposure by considering a few common questions — ranging from ‘What is my threat profile?’ to ‘How much of a risk am I willing to take?’”

“You have to take the guidance out there,” she said, “and balance that with your risk appetite and your threat profile.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.