CISO Marcin Szczepanik on Culture, Tools and How to Benchmark Maturity
CISO Marcin Szczepanik recalls the day, not so long ago, when his team’s budget was cut dramatically after the onset of the pandemic. His organization, U.K.-based Essar Oil, which supplies fuel to the aviation sector, lost the majority of its revenue as the airline traffic fell to a near standstill.
Szczepanik says he needed to modernize security systems but knew he couldn’t invest in “state-of-the-art, AI-driven tools” because there was no budget available. “People became my defense. Not the tools, not the heavy investment,” he says.
He prioritized the company’s needs and invested much of his time in training, cybersecurity awareness and revamping the company’s incident response plan to guard against rampant ransomware activity. Yet he determined that he couldn’t compromise on email security. “Email is still 90% responsible for all your attack vectors,” he says. “So, we did quite significant work on upgrading our email security.”
In addition to investing in software, he and his team worked with the business unit to review every security policy and identify potential areas of compromise. These initiatives helped Szczepanik improve the company’s level of cyber maturity – even on a budget.
In this video interview with Information Security Media Group, Szczepanik discusses:
- What his extensive experience in the oil industry taught him about making the most of limited resources;
- How to prioritize technology investments on a budget;
- Developing and measuring the maturity of cybersecurity programs.
Szczepanik leads security and data protection at Essar Oil. He draws upon OT and IT experience from a variety of industries including energy, automotive, retail, chemical, utilities, nuclear, manufacturing and recruitment. Szczepanik says his passion for technology comes from dealing with people and life’s challenges. His favorite quote is, “If you think the problem can be solved by technology, then you probably don’t understand the problem.”