Somersaulting out of planes at 14,000 feet with his wife is how Shawn Bowen escapes the pressures that come with being a CISO.

“Life is all about managing risk, and adequately preparing for that risk so that you can get the most reward out of it,” quipped Bowen, the Chief Information Security Officer of World Kinect Corporation, a Florida-based energy, commodities, and services company. “It’s all about getting to do bigger, better, new things. But the enjoyment that it generates means balancing this risk of the downside.”

Bowen’s professional life started at age 17 when he joined the U.S. Air Force Reserve, where he served nearly 25 years in the cyber warfare domain. On a parallel track, the self-educated technologist worked as a mainframe operator; did quality assurance on code and development; carried out various engineering and architecture roles; led security programs within IT functions for the Department of the Army; became the first CISO for Marine Corps Intelligence; and ran the cybersecurity program at one of the big U.S. intelligence agencies.

His career took a sharp swerve when he left the structure and foundation of government work to join what he referred to as a 180° opposite of that — the world of franchise restaurants as the first CISO of Restaurant Brands International, the parent company of Burger King and Popeyes. Two and a half years ago, he joined World Kinect.

While single, he traveled down a third, simultaneous track, too.

“After work, I filled my time with everything that was interesting to me: playing sports to the highest level I could accommodate, being ‘shipwrecked’ for 10 weeks on a Pacific island for a reality TV show, and dabbling in other career fields for the experience and perspective. I was a volunteer firefighter for over 7 years, spending as many hours at the station as I was in the office. People like to use analogies of cybersecurity being like firefighting. Well, I’ve done that,” he said, pointing to his fire helmet in the background. “They also compare risk to jumping out of a plane. I can tell you about that, too!”

These various threads, Bowen says, kept him grounded.

“While I was a CISO making decisions for the Marine Corps Intelligence enterprise, I was just the firefighter on an engine, with people above me. That gave me a good awareness of the realities at that level of how people are thinking and operating. Sometimes, when you only sit in your office or boardroom, you lose touch with how people are really doing things.”

Bowen’s biggest challenge at World Kinect Corporation is the company’s multiple mission sets. Its diverse offering includes supply, logistics, sustainability, price risk, transaction management services, aviation support, flight management applications, private airport management technologies, rewards programs, air chartering, and government solutions around land, maritime, aviation and renewable energy.

“The breadth of our offerings changes my risk profile throughout,” he said. “I have different brands or products with completely different profiles. Trying to build those discreet risk profiles based off of the impact that a threat exploitation could have can vary vastly from one profile to the other.”

Bowen gets to bring a lot of security innovations into the organization. This summer, the business migrated all 22 of its worldwide data centers to the cloud. It’s already replaced all its telephony-based call centers with communications via video conferencing.

By getting rid of on-premises networking where possible and going to SD-WAN, the organization has achieved greater diversity and a competitive edge, “where we’re able to quickly modify and migrate some of our offerings as customers’ security demands grow,” he said.

Because the business is low margin, his team seeks to do more with open source and automation and uses technologies like ChatGPT to streamline some of its work.

Participants in the company’s internship and new graduate program are constantly being challenged to bring things in with what Bowen calls a “college budget.”

“Living on ramen and mac and cheese? Apply that to our technology stack where possible,” he said. “When you’re limited in what is given to you, you tend to think outside the box.”

In that vein, his team no longer applies the same risk profile to every part of the company.

“We tailor threat modeling based off of the individual risk profile,” Bowen said. “That’s one of the many things that we’re trying to change in the way we approach things here so that we are spending the right number of resources protecting our enterprise.”

For new entrants to the field, Bowen advises learning the technology first.

“There are a lot of people coming into cybersecurity who need to write a policy or partner up with IT to secure an operating system, and they’ve never managed the technology, so we’re inflicting pain on our IT peers,” he said. “It’s critical to take that time to gain experience on the IT side.”

He also advises newcomers to practice threat modeling all the time – and not only on cybersecurity.

“If I’m going on a five-hour road trip, what’s the likelihood of a flat tire? Where are my charging stations? Do I have kids in my car that need entertaining? The more you actively practice that threat modeling habit and critical thinking, the more natural it becomes and the quicker you can respond to cybersecurity threats in time of need.”

As the CISO’s role evolves, Bowen sees the industry headed toward greater differentiation. While there is commonality within the CISO community, different types of requirements are needed for different types of industries, he said.

“With the number of vendors solving every possible problem in cybersecurity, too often people look for a new tool to solve the problem. We’re constantly challenging each other to find new ways to use our existing tools that maximize that value, or simply building it ourselves,” Bowen said.

“With the SEC’s recent ruling on cybersecurity ensuring Board oversight of threat risks and management’s role in assessing and managing those risks, it will become increasingly apparent that not all CISOs are experienced to discuss cyber risk in the language of the business. But it also shows that the language of the business is evolving to include cybersecurity, and that will highlight the number of executives that don’t have the same understanding of cybersecurity that they possess about other critical segments to run a business such as legal, finance, people skills, etc.,” he said. “It is our responsibility to better ourselves as business partners, and it is our opportunity to educate our peers on the cybersecurity impacts in a way they understand and care.”

“A lot of CISOs are locking arms and saying, ‘Hey, we’re CISOs and here’s what we need as an industry,’” Bowen said. “But as we’ve made that headway, we now need to start talking about the different requirements. You don’t necessarily want a cybersecurity or CISO-certified person of a software company on the board of a manufacturing company.”

As more technology becomes accessible to more people, the more complex an organization’s security posture will become, he said.

“Ordinary people are using artificial intelligence and other technologies without understanding the gigantic iceberg below it,” he said. “Threats have always been infinite, but now they’re more accessible. That changes how we respond and build a defense program.”

“A successful CISO will know how to talk about that iceberg in relatable terms to business leaders so they can understand both the risks and the threats, and the value CISOs bring to the business and its bottom line.”

Bowen would like to see the codification of best practices that organizations should follow to protect corporate and customer information.

“Even a standard slide that every board member needs to see would be something that I think would simplify,” he said. “We say we want standardization, yet we immediately argue over what the standard should be.”

When Bowen was a teenager, his father told him, “Don’t ever say you want to do something, say you did something,” and that’s been his guiding principle. Things like firefighting and being shipwrecked have given way to an amazing wife and two young children who keep him busy and put the smile on his face, but video games and skydiving complement the work he has a passion for.

“The games are how I stay in contact with my family,” he said. “Skydiving gives me a little bit of adventure and mental distraction. If I’m thinking about anything other than that, I’m thinking about the wrong thing, because landing in one piece is the highest priority.”