Join Security Barista, John Martinez, and Cyber Sherpa, Michele Thomas, for a coffee chat as they discuss the evolution of cybersecurity and the trust challenges surrounding this ever-growing field. Michele shares insights from her extensive career in the tech industry, detailing how she broke into the field and the significant changes she’s witnessed over the years. Listen in for some valuable advice on navigating the world of cybersecurity.
There are a lot of people in cybersecurity who are within 10 years of retirement. We need new people. We need fresh perspectives, more variety, and different ways of thinking, because the problems coming at us are increasing faster than we can handle. That ability to adapt and consider different viewpoints is critical.
I want to go back to something you mentioned earlier about zero trust, because I think it applies more broadly to security. When executives go to conferences or hear about specific technologies or frameworks, most of the content is geared toward a technical audience. As engineers, we naturally love the technology itself, but the messaging to executives—those making decisions based on business impact—is often broken.
So how do we fix that?
There’s a common fallacy in both the public and private sectors: vendors and leaders focus too much on return on investment instead of return on value.
As an executive, when I meet with vendors, I want to know what I can achieve with the product—but not just in terms of cost or features. I want to understand what it actually does for my business. Will it require significant training? Will it change how my teams operate? What impact will it have across the organization?
Ultimately, what value does it bring?
For example, when I worked at the Department of Labor, I led a major software platform reimplementation. I didn’t focus on the technology or the cost when making the case. Instead, I showed how we could reduce inefficiencies by measurable percentages. After implementation, we exceeded those projections. No one lost their job—people were able to focus on higher-value work.
That’s what matters. Value.
Yes, ROI matters, but if you can demonstrate improvements in performance, efficiency, or revenue within a few years, that’s what resonates with executives.
Let’s shift to careers.
What are you most proud of?
I’ve had many professional accomplishments, but one of the most meaningful experiences was personal. My father was an Army medic in World War II and landed at Omaha Beach. After he passed, I went through his papers and discovered he had received two Bronze Stars—something he never spoke about.
I tracked down members of his unit and eventually traveled to France to retrace his path from Normandy to Paris. Along the way, I learned lessons about gratitude, resilience, adaptability, discipline, and camaraderie from the people there.
Those lessons stayed with me and later shaped how I approached leadership and business.
So what advice would you give someone looking to get into cybersecurity or become a CISO?
Cybersecurity is a broad field. You need to figure out what interests you. Some people focus on policy, others on coding, analysis, cloud, or program management.
It’s not limited by age, background, or identity. What matters is your willingness to learn.
I encourage people to explore, ask questions, and find communities—whether through LinkedIn, Facebook, or professional organizations. Mentorship is especially important, and I spend time mentoring women and others entering the field.
You don’t have to jump in all at once. Start small, learn, and discover what resonates with you. Over time, you’ll find your path.
If you use what you know to learn what you don’t know, you can go far.
Before we wrap, anything you’d like to share?
I recently retired from public service and co-founded a consulting company called Trusted Tech. We focus on cybersecurity strategy and data management. It’s been exciting to build something new and continue helping organizations navigate these challenges.
That’s another episode of John Has Trust Issues.
I’m John Martinez, technical evangelist at StrongDM, where we enable modern access management and continuous zero trust authorization across your infrastructure.
Thanks for joining, and have a great day.
