CSO Conversations: Stephen McDermid, Regional CSO of EMEA

CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.

What motivated your career pursuit in cybersecurity?

While working as Head of IT, the business needed to achieve ISO27001 in order to meet our government contractual requirements. It was an area I had always had an interest in, and so we brought in some external consultants to help us achieve the certification, but also to educate us on the ISO approach. After we delivered ISO27001, I was then asked to deliver PCI-DSS for our much larger Tier-1 parent company who had acquired us the previous year, and so this brought a whole new dimension to understanding our application, infrastructure and security challenges. As part of agreeing to do this and successfully delivering the certification, I asked the business to offer me the recently-vacant Information Security opportunity and this led to my first Information Security role!

Are there any emerging trends or technologies that have you particularly interested?

It’s impossible to avoid the rise of AI and specifically, AI Agents. By the end of 2025, we’ll be living in a world with billions of autonomous AI Agents acting on our behalf. There are important questions that the cybersecurity industry needs to answer - what are these bots doing? What information do they have access to? And, how do we set and control the conditions and parameters around what information they can share, with who, and under what circumstances?

What’s interesting is that right now, all these questions are up in the air. These bots don’t have the benefit of basic cybersecurity awareness training. They don’t have that human sixth sense that tells us something just might not be right. They can’t think for themselves. All it takes is one rogue prompt for an AI Agent to mistakenly share sensitive, personal or financial information with another agent, and things could quickly escalate. 

How has your previous experience in cloud computing shaped your approach to cybersecurity today?

Having a background in on-prem and cloud technologies definitely helps when it comes to cybersecurity. Threats span across technology stacks and so understanding how these threats can affect different elements is key. However, understanding the protections and benefits that cloud computing can bring is just as important and so being able to help our customers understand both sides is pivotal to my role.

What are your thoughts on traditional passwords in today’s technology landscape, given modernized threats?

I think I’m aligned with most when I say the sooner we can get rid of them, the better. I don’t think it’s the catch-all, but certainly when we see over 80% of breaches coming from compromised passwords, it’s time for change! I think they will always be needed in some areas of technology, but the governance and visibility has advanced massively over recent years and so we need to ensure tighter controls around them. Not just the typical complexity and policies, but where they are used from, when they are used, during use and even after use, we can apply a lot more governance!

What trends are you seeing in cybersecurity relating to your region?

It’s hard to see beyond the buzz of AI and all that it brings, but with the heavy regulation we have in the European Union, we have a number of new regulations such as the EU AI Act that adds additional levels of protection and complexity. Everyone has a lot of questions of how they can be compliant and how suppliers and partners can help. We’re seeing a growing trend of compliance automation and engineering to navigate these challenges and the more we can simplify the regulations and evidence compliance, the better.

In your recent interview, you referred to the Secure Identity Commitment and Okta’s transparency. How important is it to be transparent in your role as Regional CSO?

Transparency is a critical pillar of our cybersecurity strategy and how we work with our customers. Even though we have people who are incredible security experts at Okta, ultimately, security is a people business. It’s hearts and minds, and our focus on being transparent, especially in times of crisis, is a key differentiator here.

To ensure Okta has a strong security culture, we’ve spent a lot of time explaining the why behind the changes we are making, how it will affect our teams, and importantly, how it will benefit our customers. Ensuring everyone is on the same page internally is vital to ensuring we deliver consistent messaging and communications to customers. In the many hundreds of conversations I’ve had with customers, they’ve recognized, appreciated and thanked us for our openness and collaboration.

If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?

Identity is part of every project, from application modernisations, to infrastructure migration, to business operations and staff training! It’s important to understand how identities in these projects tie into your strategic goals, and more importantly, how you are applying governance, control and visibility of what’s happening across them. It’s in these dark corners of IT transformation that dangers lie and shining a light on them thoroughly and regularly ensures confidence against identity attacks.

What are some healthy cybersecurity habits you’ve gotten your friends and/or family to adopt?

The idea that every website needs to know your date of birth, your address or even your real name has always been alien to me. Using aliases, fake dates of birth and addresses across the multiple website registrations of today's world has always been something I’ve recommended. Obviously, applications like banking or governmental sites being the exception, but that website that you sign up to for a newsletter doesn’t need the real data! So my advice has always been to consider what you're sharing and with who, especially in today's world now where so many applications or websites are free, which means the cost to use their service is your personal data.

What do you think may be some key changes the cybersecurity industry sees this coming year?

We need a mindset shift across the cybersecurity industry with far more collaboration between industry players. We face an unprecedented threat environment, and this is before the potential risks that AI Agents bring to the table.

We need to agree to more standards, best practices, and frameworks around cloud applications and how they communicate with each other so that they are secure by default. A single cybersecurity vendor cannot achieve this alone. We’ve already started on this by working with others in the Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) working group in the OpenID Foundation to help standardize secure identity management across SaaS solutions and vendors.

Stephen McDermid was recently interviewed by Computer Weekly on how Okta is championing a secure-by-design approach, emphasizing the Okta Secure Identity Commitment (OSIC) and the importance of building a strong security culture. Stephen was also featured by ITPro, capturing a CSO’s perspective on DORA compliance.