The Cyber Security space is an exciting one to be part of. On The Cyber Security Matters Podcast we regularly ask our guests how they get into the industry, and on Episode 21 our guest had a fascinating answer. We were joined by the CISO of ExtraHop Mark Daniel Bowling, who has over 20 years experience in Cyber Security, beginning as a special agent and cyber crimes investigator for the FBI. Since then he’s transitioned into several roles, most recently as the Chief Risk, Security, and Information Security Officer at ExtraHop. He shared the story of his unusual career path and his advice for other people who want to make a similar journey.
How did you first get into the cybersecurity industry?
It was almost entirely a consequence of my service in the FBI. I spent six years in the United States Navy, where I was supposed to go into submarines, but I ended up on a carrier because we won the Cold War back in ‘91, so we just didn’t need as many subs. I did a little bit of time in the corporate world and didn’t love it, then I joined the FBI in 1995. That was right as cyber was becoming a thing. We didn’t even have a cyber division in the FBI back then, but we had a cyber investigation section coming out of the white collar branch. We created what was known as NIPC, or the National Infrastructure Protection Centre, then eventually when Muller came in, in 1999 or 2000, he created the cyber division. I grew up in the FBI and cyber at the same time, because I was an Electrical Engineering and Computer Engineering technologist, so it was the right place for me to go.
I made a great career in cyber in the FBI. When I retired from the FBI I went to another agency, which was the Department of Education, making a transition from a very serious law enforcement and intelligence community agency to the one that was more public facing. After that I retired from federal service and then I went into the public sector as a full time employee, but then I started to move into the consultant track where I’ve had multiple great partnerships with customers, and it was really good. I went back to full time employee status when I came to ExtraHop a couple of years ago. So that’s the route that I took, but I would say my experience in the FBI was really what pushed me into cybersecurity.
Who or what has been the biggest influence in your career?
Because much of my career was in public service, the biggest influence has been the amazing public servants that I met in my career. My role model was a man in the United States Navy named Admiral Larsen. He was a four star Admiral, and I worked for him in the Pentagon. He was just an amazing man. Anybody who knew Admiral Larsen recognises what a great leader he was.
In the FBI there were a couple of amazing public servants too. I would say David Thomas, who was one of the early assistant directors of the cyber division, was also a great man. He helped build the cyber programme within the FBI. He was one of the great men I knew in the FBI.
And then at the Department of Education there was a man named Chuck Cox. He was in the Air Force Office of Special Investigations before he went over to the Office of the Inspector General. He has since passed away, but he was a tremendous man. Each of those individuals modelled public service in an amazing way for me.
How do you feel your background within the FBI has shaped your career working for a security vendor like extra hop?
I think it’s absolutely vital that anybody who works in security understands the nature of threat and risk. If all you do is think about technology, you’re missing the boat. The job of the business is to stay in business, make money, acquire and retain customers, sell more products, provide better services and increase not just your profit margin, but also your presence in whatever sector you’re in. They don’t want to have to worry about cyber security, so the cyber security folks have to understand the threats to the business for them.
You have to be able to see things in terms of risk, and that’s what the FBI did for me. One of the things that Muller did when he came into the FBI was created priorities, and we created those priorities based on the risks. After 1991, the number one priority in the FBI was counterterrorism, number two was counterintelligence, and of course, number three was cyber because of the growth of cyber attacks at that time. So what I learned in the FBI was to see things in terms of risk, understand a threat, appreciate the capabilities of the threat actors, and then turn around and prioritise and your resources appropriately to reduce the threat either by remediation or mitigation. If you can create compensating controls around the threat, it reduces the actual risk. At the FBI I learned that you can accept some threats, others you just have to remove, and some you can create compensating controls around.
What one piece of advice would you give to someone entering the industry?
I would tell them to one, stay humble, two, listen, and three, be willing to do things that you’re not comfortable with so that you can learn from the experience. There’s different reasons for learning. You should learn how to do something you’re not comfortable doing so that you appreciate the people who do it on a daily basis. You should learn to do something to understand the level of effort that it actually takes, so that when you ask people to do it as a leader, you know what they’re going to do for you and what they’re going to have to give up to get it done.
To learn more about Mark Daniel’s experiences and insights, tune into Episode 21 of The Cyber Security Matters Podcast here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.