author photo
By Cam Sivesind
Sat | Apr 8, 2023 | 8:21 AM PDT

In the SecureWorld Spotlight Series, we learn about the speakers and Advisory Council members that make our events a success. In Q&A format, they share about their professional journeys, unique experiences, and hopes for the future of cybersecurity—along with some personal anecdotes.


Steve Naphy says he is very fortunate to be Chief Information Officer (CIO) for one of the largest law firms in the world, Morgan, Lewis & Bockius LLP. Personally, Steve craves outdoor experiences and pursuing the knowledge that enables him to do new things himself.

Get to know Steve Naphy

Q: Why did you decide to pursue cybersecurity as a career path?
A: I have worked in information technology (IT) and networking for more than 20 years in the retail, distribution, and legal industries. When I started, networking owned the firewalls. The concept of granular access control fascinated me.

Q: How would you describe your feelings about cybersecurity in one word?
A: There are times I wanted to say "Sisyphus" because it sometimes seemed futile. I think I'd use the term "resilience" now.

Q: What has been your most memorable moment thus far working in cybersecurity?
A: Anytime an IT person or an end-user approaches me and says, "I stopped this" or "I caught this, aren't you proud of me?," that makes me feel like I have done my job.  I'm the father of three daughters, and my goal was never to protect them, it was to teach them to protect themselves. My goals in InfoSec are similar: to teach the organization how to protect itself.  You might say I am trying to engineer my own obsolescence.

Q: If you had to choose, what's the one cybersecurity practice people can adopt that would have the greatest impact?
A: I wish more people realized that trust is not a control.

Q: What is an industrywide change you would like to see happen in the future?
A: Being more strategic about leveling up security protections through processes and tools. In some cases, if you spent half the time you spend on implementing the next greatest tool on improving the tool you already have, it might wind up being better than what you were going to switch to. We can get distracted by too much "moving" to the next shiny object.

Q: If you could pass or change one regulation/law in cybersecurity and data protection, what would it be and why?
A: Detailed Audit logs must be recorded for everything. Every bank, etc., should be able to show me, without me asking, the last 56 times I logged in, when, from where, on what device, and what did I do. When something goes wrong, "I don't know what happened " shouldn't be the answer.

Q: What encouraged you to join your current organization (employer)?
A: Word of mouth and an opportunity to be involved from the ground up in establishing an InfoSec team at a law firm. My move to Morgan Lewis began when a coworker who had left my previous organization reached out to tell me that his new firm, Morgan Lewis, wanted to start an InfoSec team.

Q: What do you wish more people knew about your organization? 
A: We are not that law firm with the television commercials and billboards near the Philly stadiums; that's a very different "Morgan." They are a personal injury firm; we don't do that stuff.

Q: When you tell people what you do for a living, what do you say?
A: I lead a highly-trained and brilliant IT team that works very hard to make the user community think all this IT stuff is easy.

Q: What are you most looking forward to at your regional SecureWorld conference this year?
A: Reconnecting with the Philadelphia InfoSec community.

Q: In honor of our 2023 conference theme, CyberSonic: Security & Sound Remix, what is your all-time favorite song?
A: I enjoy an outdoor adventure/journey. Rusted Root's "Send Me On My Way" is a great song to start that journey. The lyrics are largely gibberish, but I find the rhythm invigorating.

To connect with Steve Naphy and other cybersecurity leaders from the greater Philadelphia area, attend the 20th annual SecureWorld Philadelphia conference on April 19-20, 2023. Steve will be presenting a session titled Transitioning from CISO to CIO: What Changes? See the conference agenda and register here.

Continue to follow our Spotlight Series for more highlights from industry experts.