Ahead of the Breach - Joe Mariscal, Director of Cybersecurity and Compliance at Ryerson
Ahead of the Breach Podcast sits down with Joe Mariscal, Director of Cybersecurity and Compliance at Ryerson, as he shares his journey from the Marines to building a robust cybersecurity program and emphasizes the importance of leadership in preventing burnout among teams.
Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
In our latest edition, we dive into our interview with Joe Mariscal, Director of Cybersecurity and Compliance at Ryerson. Here are the top takeaways from the interview.
#1: Strive to Make Work-Life Balance Sacred in Leadership
“They weren't concerned about the person's personal life. They weren't concerned about their stress level. They were expected to be on 24/7, you know, reading emails on vacation, after hours, on the weekend. And if something was supposed to happen, they were expected to know because they were constantly monitoring it. To me, that's bad leadership. That's not caring for the individual, that's not building a resilient individual or resilient team, that when things happen, they can operate at 100% efficiency. In general, there should be some sort of escalation path, some sort of monitoring path. So if you have overnight MSP or overnight help desk, there should be a known path to be able to escalate up and contact the teams. Again, we're staying away from “those teams are expected to be on all the time.”
Actionable Takeaway: True leadership values individual well-being, avoids 24/7 demands, and builds resilient teams. Establishing clear escalation paths and backup support protects employees’ personal time, enabling them to perform at their best. Prioritizing balanced workloads enhances team morale and effectiveness.
#2: Manage IoT in Manufacturing to Effectively Secure Your Assets
“There's a number of things in the manufacturing space across all industries, and that's around OT, IoT, and IIoT — industrial internet of things. And so it's funny because I will talk with peers or I'll talk with other leaders and they're like, well, we don't have any OT or IoT or IIoT. Yes, you do. Let's talk about that, and suddenly they realize they have OT or IoT. Now, in a manufacturing, you have an oversized amount. You can have anything from, at least in ours, CNC machines, laser machines, cutting machines, something like that. But of course, you're going to have all the other things from camera systems, alarm systems, vending machines with hardware, vending machines with candy, also all of those things. So a lot of times you can't put agents on them. They can be hard to log, extremely difficult to patch, if at all. And so how do you understand and manage those?”
Actionable Takeaway: Many manufacturing environments unknowingly depend on operational technology (OT) and IoT devices, from CNC machines to vending systems. These are often hard to monitor and secure, but recognizing and managing these assets is essential for safeguarding the interconnected infrastructure of modern manufacturing.
#3: Utilize Cybersecurity as a Business Enabler
“The whole reason that cybersecurity is there is to make sure that the company can operate and be force multiplied with whatever they're doing, whether it's just existing and meeting the status quo or entering new markets. How do we add a cybersecurity shield around whatever that is that they're trying to do to reduce that risk for the company? The other part is once you've identified those risks, you place them in some sort of risk register. So you want to score them and you want to understand where they are. This could be industry scores, this could be threat-enabled scores, this could be CVSS scores, anything. Whatever it takes to say, hey, confidently, we think this is external, it's internal, it's segmented. Here's our priorities, here's our top three or five priorities. And then you build out the mitigation plan and then you present that to executive leadership. Typically you try to use that business speak, convert that into business speak and then say, okay, these are the resources. And ultimately, ultimately it becomes a business decision. Whether cybersecurity likes it or not, it's a part of the business that helps the company conduct business, not the other way around.”
Actionable Takeaway: Effective cybersecurity isn’t just about protection — it empowers companies to operate and grow safely. By assessing risks, prioritizing threats, and developing a targeted mitigation plan, cybersecurity leaders can align security initiatives with business goals, transforming risk management into a strategic asset.
Listen to full episodes out now
For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.
We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations