Mike Wilkes has had a career many cybersecurity professionals could only dream of. An adjunct professor, former CISO of Marvel and MLS, member of the World Economic Forum, drummer, and board member at the National Jazz Museum in Harlem, his interests and achievements are as eclectic as they are impressive.
In the first edition of CISO Spotlight, we sat down with Mike to explore the skills, strategies, and stories that have defined his remarkable career – and got his take on the latest trends defining the modern cybersecurity industry.
From Philosophy to Firewalls
As you have probably gathered, Mike Wilkes hasn’t had a typical career path. With a background in philosophy and a master’s from Stanford in the philosophy of education, he began his career working in a Californian K-12 education think tank. However, it didn’t take long for him to realize that he could put his talents to better use in the tech world.
“There were more computers in the dumpsters of Palo Alto than in the classrooms,” he said. “I knew then that tech was where I could make a real difference.” This realization led him to early roles in WebOps during the dot-com boom, where he helped launch digital platforms for Starbucks, PlayStation, and Macy’s.
But Mike was never just a web guy. “I ran the infrastructure,” he said. “Before DevOps was DevOps, we called it WebOps. Security wasn’t a department back then – it was something you did so your servers didn’t crash at 2 a.m.”
A CISO Career Path Spanning Sectors
Over the years, Mike has held CISO roles in a vast range of sectors – finance, entertainment, tech, sport, and more. “I even like to say I kept Iron Man safe,” he joked, referencing his time as CISO at Marvel. At the American Society of Composers, Authors and Publishers (ASCAP), the two sides of his identity – cybersecurity leader and jazz drummer – came together in harmony. “Being able to combine music and security in the same job? That was awesome.”
Mike has also worked with the World Economic Forum and co-authored papers on quantum security. “If you take machine learning and combine it with quantum, you get the Reese’s Peanut Butter Cup of hype,” he laughed. “But the real question is: how do you actually use these technologies to protect data?”
The Two Types of CISOs and the Real Skills CISOs Need Today
Considering his extensive and varied CISO experience, few people are better placed than Mike to offer insight into the role – and his opinion of many CISOs is pretty damning.
“There are two types of CISOs: the player-coach and the pure coach,” he argued. “Player-coaches have the hard skills – they know how to login, read logs, and find threats. Pure coaches rely solely on influence and relationships.”
That said, while Mike does value technical depth, modern CISOs must also master business alignment. “Someone at a security conference once said, ‘We don’t just need security awareness training for employees – we need business awareness training for CISOs.’ And that’s stuck with me ever since.
Security, he says, must not be the “department of no.” He urged CISOs to say, “Not yet, let’s try it this way,” instead of just saying, “No, you can’t do that.” He even went as far as to say that if CISOs don’t understand how their company makes money, they’re not securing the business – they’re just slowing it down.
Advice for CISOs: Jedi Mind Tricks
Mike’s advice for CISOs is to approach the role with a healthy amount of pragmatism and subterfuge. “You have to use Jedi mind tricks,” he says. “Make your CEO think it was their idea. Present three options – maintain, downgrade, or upgrade – and guess what they’ll pick.”
However, for Mike, succeeding as a CISO isn’t just about clever use of suggestion – it’s also about talking to CEOs and board members in concrete terms they understand. “If you say, ‘This API could lead to a data breach,’ that’s abstract. If you say, ‘This breach could cost $10 million and take our systems down for three days,’ that’s real.”
Breach Cadence Over Breach Likelihood
To further emphasize the importance of robust cybersecurity to key decision makers, Mike recommends changing the narrative: it’s not about if an organization will suffer a breach; it’s about when.
“Any company can be breached,” he said, “just give the attackers enough time and motivation. So CISOs need to stop talking about likelihood. Talk about cadence.” He contrasts two companies to illustrate the point. “Maybe T-Mobile gets breached every few months. FireEye went five years before a breach. Ask your CEO: what would you pay for five years of peace?”
The Hard Lesson Most Companies Learn Too Late
One of cybersecurity’s most significant problems, Mike argues, is that far too often, it takes a major breach to convince an organization that they need to improve their defenses. “Most organizations won’t spend $500,000 on prevention until they’ve lost $5-10 million in a breach. It’s like kids and hot stoves – you tell them it’s hot, but they don’t learn until they burn their fingers.”
Mike believes that this reactive approach to cybersecurity is tantamount to outsourcing prioritization to attackers, with dire consequences. “We’re letting threat actors determine what matters,” he said, “instead of building resilience ourselves.”
The Importance of API Security
API security is an area that Mike believes deserves special attention. “85% of all internet traffic is machine-to-machine – in other words, it’s APIs,” he says. “But most companies don’t even know how many APIs they have.”
He continues: “There’s this thing called low-code/no-code. People paste API keys into Slack or Salesforce without any review. That’s like duct-taping a backdoor to your datacenter.”
So, what’s the first step? “Visibility. You can’t protect what you don’t know you have. But visibility isn’t enough. You need control, documentation, monitoring, and context around data flows.”
How AI is Democratizing Cybercrime
Moving on to the topic of AI, Mike recognized that there are both risks and opportunities. “AI has let the junior varsity play at the varsity level,” he said. “We used to worry about nation states. Now we’re worried about bored teenagers with AI tools.”
On the defensive side, however, Mike is more optimistic. “Every CISO should have an AI sidekick trained on company policy, capable of spotting anomalies and streamlining decisions. But they would need to deploy it responsibly, not just for its own sake.”
People First, Always
Now teaching at NYU and Columbia, Mike sees mentorship as an extension of his mission. “I teach because I want to inspire the next generation. I want them to know that this work matters.”
His mentorship is an extension of his broader view on cybersecurity: “The product of cybersecurity is the avoidance of harm. And we do that through people, processes, and tools – in that order. Tools, while helpful, come last.”
Asked about his dream vacation, Mike replied, “Iceland. Volcanoes, glaciers, raw nature. Also, Japan, for the culture of respect for elders. Now that I am an elder, that sounds good.”
And as for a cybersecurity theme song? Wilkes had AI write one: Mirror, Mirror, on the Wall. You can listen to it here.
The post CISO Spotlight: Mike Wilkes on Building Resilience in an Evolving Threat Landscape appeared first on Wallarm.