Blog

The Security Sitdown with Mark Sutton | Bain Capital

Jul 07 2026   •   Paul Valente

In this episode of The Security Sitdown, we sat down with Mark Sutton, CISO of Bain Capital, for a candid conversation about influence, resilience, and what it takes to lead security at one of the world’s most prominent asset management firms.

Mark’s path to the CISO chair is anything but typical. He started his career smiling and dialing as a BDR, and a decade ago, a customer asked him to become their CISO. That customer was Bain Capital, and he’s been protecting it ever since.

We dig into why security leadership is fundamentally a sales job, how AI is giving attackers unprecedented speed and volume, why assuming compromise changed everything about how modern programs are run, and the reason Mark believes a CISO’s best defense (and the key to a good night’s sleep) is the team around them.

Before we get into the key insights from the conversation, you can watch the full interview with Mark Sutton below.

[EMBED: YouTube video]

TL;DR: Key Insights for Security Leaders

  • Security leadership is an influence job: CISOs don’t close deals; they find a way to yes inside their own organization.
  • The fundamentals of security haven’t changed – attackers still target the same assets. What’s changed is the speed, volume, and sophistication of the pathways in.
  • AI is the attacker’s force multiplier today: faster vulnerability exploitation, higher-volume credential attacks, and more sophisticated phishing at scale.
  • Assume compromise at all times. Success is measured by how quickly you detect, how rapidly you respond, and how well you minimize the blast radius.
  • Threat actors collaborate constantly – defenders have to build trusted peer networks to keep pace.
  • The key to sustainability (and sleep) as a CISO: hire a phenomenal team and empower them to own the fight.

From BDR to CISO: An Unconventional Path Into Security Leadership

Mark Sutton didn’t set out to become a CISO. He got his start in cybersecurity on the sales side, working his way up from inside sales – a hundred dials before lunch – to outside rep. To stand out from other sellers, he taught himself the technical side, earning his SSCP and CISSP so he could have elevated conversations with security buyers.

“I always tried to differentiate myself. I wanted people to think, I’m not just a sales guy – I’m an engineer, I’m an advisor. I can speak to them on their level.”

Then came the twist. While helping Bain Capital search for their first CISO – placing candidates in front of their leadership team – the CIO turned to him and asked: why don’t you do this role?

Ten years later, he’s still there, and the firm has grown from under 1,000 people to more than 2,500.

The skills transferred more directly than you might think:

  • Sales taught him influence, trust-building, and communication – the core of effective leadership
  • His success criteria changed from closing deals to selling security internally
  • One of his first projects was rolling out MFA a decade ago, in a high-performing, friction-averse culture

Security Is a Sales Job (Just With a Tougher Pitch)

Mark has a memorable way of describing what security practitioners are up against inside their own organizations:

“I describe what we do as security practitioners as having to walk into a room, punch somebody in the face, and then have them hug you afterwards. No one’s coming to a CISO saying, ‘We want more of what you’ve got.'”

The job, in his view, is threading that path – weaving security processes, controls, and policies into existing cultures and workflows, and finding the balance that gets the organization to yes:

  • Going door-to-door to reshape mindsets around why a control matters
  • Framing security in terms of business need, not friction
  • Landing on outcomes where both security and the business win

The House Hasn’t Changed – But the Break-Ins Have

Ask Mark how much security has changed in his decade as a CISO, and his answer might surprise you: fundamentally, not much. You still have crown jewels to protect, and there are only so many ways an attacker can get to them. What’s changed is how they’re getting in.

He explains it with a home security metaphor:

“The house hasn’t changed. We’ve still got windows and doors. It’s the way people are getting through those doors.”

It used to be about picking locks – so everyone focused on better locks. Then the criminal started dressing up as the UPS guy you trust. Then came the shed at the bottom of the garden – an environment you didn’t even know existed:

  • Trusted-party attacks: adversaries exploiting the people and vendors you already let in the door
  • Unknown environments: shadow infrastructure you can’t protect if you don’t know it exists
  • Citizen developers: powerful tools that were once limited to IT admins are now in everyone’s hands, multiplying the variables you have to see, control, and secure

AI Is Giving Attackers Speed and Volume – Defenders Have to Answer in Kind

On the rise of AI, Mark doesn’t mince words about what it’s doing for the other side:

“It’s the old adage of you have to bring a sword to the sword fight. What AI is doing for the attackers is allowing them to operate at faster speeds than we’ve ever seen before – and at higher volumes.”

He sees attackers leveraging AI most effectively in three areas:

  • Faster exploitation: rapidly detecting, understanding, and weaponizing vulnerabilities and zero-days
  • Higher-volume credential attacks: bots hunting for entry points without MFA and brute-forcing their way in
  • Smarter phishing at scale: more sophisticated emails moving faster than email defenses can adapt

The defensive answer is to apply AI to the same pressure points – accelerating vulnerability prioritization and remediation, automating repeatable tasks, and chaining workflows together with agentic AI. And as LLMs embed deeper into the business, a new challenge emerges: understanding what data is going into models, and verifying what’s coming out.

Assume Compromise: Minimizing the Blast Radius

Perhaps the biggest mindset shift of the last five years, in Mark’s view, is that organizations stopped pretending they could prevent everything.

“You have to assume compromise at all times. We’re going to get popped – but how do we detect it really quickly, respond really rapidly, and minimize any impact?”

That means constantly asking: if this breaks, what happens? If that pops, what happens? And working to shrink the blast radius of any single failure.

It also means honest communication with the board and leadership:

  • It’s not a matter of if, it’s a matter of when
  • Here’s what we’re doing to reduce the likelihood – and the severity when it happens
  • Sharing the pressure across leadership instead of letting it rest 100% on the CISO’s shoulders

The Network Effect: Why Trusted Peers Are a Security Control

When Mark stepped into the CISO role, his first move was to go to his people – the security leaders he’d built relationships with over years. He started hosting monthly lunches with private equity and finance peers in Boston, a network that still gets together in person and trades questions daily over text and Slack.

“Looking somebody in the eye, having someone you really trust that you can go ask a question and really trust the answer – it’s massive. And the threat actors are doing it. So to be effective, we have to do that as well.”

His take on remote work is equally direct:

“I’m a believer that you can maintain a relationship on Zoom, but I don’t believe you can build one.”

For a community raised on zero trust and “verify everything,” having peers you can simply trust removes an enormous amount of friction and stress.

Hiring, Sleep, and Staying Sane in the CISO Seat

How does a CISO stay optimistic – even lighthearted – while facing constant threat? For Mark, it comes down to the people around him.

“The key to good sleep as a CISO is hiring a good team.”

Technical chops are table stakes. What he’s really hiring for is the X factor – which is why he gets candidates out of the interview room and into a breakfast or lunch, where the real person shows up. His favorite filter:

“Everyone can run fast when they’re being chased. But I want people who run fast all the time.”

Beyond hiring, sustainability in the role means empowering the team to own their fights, giving them air cover and support, and taking personal wellbeing seriously – sleep, exercise, family time, and a trusted circle of peers to decompress with. The CISO community, he notes, has gotten much better at checking in on each other.

Why He’s Optimistic About What’s Ahead

Despite an ever-evolving threat landscape, Mark isn’t a glass-half-empty CISO:

  • Smart entrepreneurs and early-stage companies are building tools that help level the playing field
  • Business leaders and CEOs are more aware of cyber risk than ever, making CISOs more effective inside their organizations
  • Yes, attackers will keep evolving, but so will the defenders, and the community around them keeps getting stronger

Like this conversation? Stay connected.

If you enjoyed this episode, subscribe to The Security Sitdown for more discussions with today’s CISOs and security leaders – no jargon, no posturing, just honest insight from the people shaping the future of cybersecurity.