Being the chief information security officer (CISO) for a major supplier is intense. You work alongside experts who know your job just as well as you do, and you’re always in the crosshairs of potential attackers.
I sat down with Stephen McDermid, regional chief security officer (CSO) for EMEA at Okta. He shared his thoughts on the importance of building strong connections with customers and partners. With his background in senior cybersecurity roles at Salesforce and the Scottish Police, he’s no stranger to these challenges. At Okta, he sees himself as the eyes and ears for CISO David Bradbury, helping customers grasp Okta’s security strategies, providing support, and aligning with company goals.
McDermid views customers as partners deserving maximum protection. “We find ourselves doing things that a typical SaaS provider wouldn’t,” he explained. “We proactively monitor for threats targeting customers. If we can see an attack and alert the customer in time, that’s a win.”
He emphasized the concept of shared responsibility. McDermid applauded Okta’s leadership for fostering collaboration between executives and the security team. “Ultimately, security is still a people business,” he said. “Even with experts, it’s about engaging hearts and minds. Being clear about our objectives helps everyone get on board.”
He also mentioned the Okta Secure Identity Commitment, launched in February 2024. It outlines the company’s mission, providing customers and employees with a clear direction for the future. “It’s vital to explain the ‘why’ to everyone, not just those in security,” McDermid noted. “This helps them join the journey, rather than just following orders.”
One way they do this is through phishing simulations for training, assessing preparedness and shaping user mindset. “We conduct phishing training and track results, then send a legitimate feedback request right after,” he explained. “It’s crucial for users to recognize what’s real and what’s not.”
McDermid aims for a frictionless experience, avoiding sudden changes without full understanding. This approach led to the creation of a security culture team focused on internal messaging and tracking the organization’s security culture. “Raising our security standards hinges on this,” he stated.
He openly addressed the stereotype of the “department of no” that often surrounds security teams, an approach that can stifle progress. “We need to empower the business and make them aware of risks,” McDermid explained. Keeping employees informed fosters their involvement in the security roadmap and clarifies any obstacles they might encounter.
We discussed how the CISO of a cybersecurity firm reacts to attacks on others. “When incidents hit the headlines, we analyze what happened, identify the threat actors, and consider our response,” McDermid shared. This reflection shapes their understanding of potential threats and helps them prepare for similar challenges.
For any incident affecting customers, he prioritizes addressing those issues swiftly. If a vulnerability arises in a particular sector, he ensures they act immediately. “In this close-knit industry, if a partner or customer experiences an attack, I reach out to offer support. Sometimes, just having another perspective to discuss things can make a difference,” he said.
Learning from incidents is crucial, and McDermid underscores the need for transparency. “That’s how you build trust—by sharing what happened, what steps you’re taking, and how you’re improving.”
A year after a high-profile breach involving access tokens, Okta is forging ahead in cybersecurity, proving that incident didn’t hold them back. They’re solidifying their position as a secure identity provider and enabler of cloud services, driven by a strong internal foundation.