CISO Conversations

What do you see as the most significant positive steps that government, business, and the security industry have made in the past 24 months to improve cybersecurity?

Overall, it has to be awareness of cybersecurity issues. I’ve seen a dramatic increase in awareness around cybersecurity and the challenges it presents to business today at almost all levels. And with that awareness comes the opportunity to address and solve problems.

We’re able to get down to business much faster than we were just a few years ago because people get it. They understand the threat and what it means to them. There’s no doubt that security is a hard issue to address.

I think the challenge that you see in government is the same challenge you see in private industry. It's a hard issue to fix, right? When you look at what happened recently when the CIA’s most valuable cybersecurity tools leaked, that's really an access management issue. If you're in private business, who has access to applications and data within the application? The government is struggling with that too. And so, if nothing else, I think they feel our pain.

What impact has the Internet of Things had on cybersecurity planning and how has it affected your approach to operational and physical security?

IoT presents interesting threats to cybersecurity. The first is the sheer number of devices that are vulnerable to compromise. There are no standards governing security on IoT devices.

Whether it’s a camera in your home, your car driving down the street, or an industrial automation sensor, there’s no set standard for what “good” looks like in terms of security. To address what is going to stretch the industry’s ability to keep up, we’re going to have to create some operational segmentation to keep the threat of an IoT device that gets hacked from causing critical harm. And it needs to be collaborative among the people creating the devices, the people creating the networks, at the executive level within companies, and in the overall community. We have to look at this differently than we did five or ten years ago.

The number of IoT devices has already exceeded the total number of computers in use. And those numbers will continue to explode. The concern is that regular attacks from large collections of compromised IoT devices will cause major outages and disruptions.

How can CISOs effectively deal with “shadow IT resources,” those non-sanctioned business resources that often bypass official channels to deploy technology?

To me, shadow IT pops up when traditional IT fails. Either IT is too slow or doesn’t provide the capabilities, functionality, or flexibility to drive innovation. So the question is, “How do you allow a business to evolve and experiment with new tools and do it in a way that’s secure and safe?” And then, “How do you become part of the process of evaluating, selecting, and managing those tools?” Frankly, I don’t know a lot of people who are winning this battle right now.

What we’re doing is helping people understand the rules of the road. For example, we don’t want to see HR data or customer data in the cloud unless it’s an approved cloud solution that has been vetted by our security team.

With threats becoming more organized and frequent, how much emphasis needs to be placed on end user behavior modification rather than just security awareness?

As long as there's a delete key on the keyboard, people are going to make mistakes. Whether those are conscious or unconscious mistakes, our biggest challenge is creating an environment that's resilient to human error..

And we can't just educate people. We have to build protective and preventative capabilities to help make the environment more resilient. But it does start with making the users aware about cybersecurity threats. Even small changes in behavior can have a meaningful impact on the number of incidents or events that you have to investigate.

For many companies, finding real security issues is like finding a needle in a haystack. If you mounted a security awareness campaign that informs people, they’ll spawn fewer security incidents and the haystack gets smaller. It's easier for us to see security events and incidents that are significant, and we can get to those faster. So, I think awareness is a tool in the arsenal but certainly not the only tool. But I know from experience that awareness has helped us.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

I think the challenge of being a CISO today is that you don't have the luxury of being an expert on one domain. You have to have domain knowledge and experience in a lot of different areas. And that's what's changed over the last few years and it'll continue to evolve this way. You can't only be a network security expert and be a successful CISO at most companies.

In many cases, you've got to be an inch deep and a mile wide to cover all the ground you need to be effective as a CISO. Building a successful team who can help you reach a mile deep in all the different domain areas is just as critical. The most successful CISOs that I see aren't people who are experts in any one given area. They have a broad knowledge that they can apply across a number of different domains. And I think that's going to continue.

If you're a great engineer, you might be a great CISO. But I think you're going to see CISOs with broader sets of skills take on leadership roles throughout the information security industry.

You’re also seeing more CISO positions reporting to senior leaders and so their ability to communicate and preform at higher levels is critical. I'm Turner's first CISO. I report to the CTO and CFO. The former information security leader was at the director level, two or three levels down the organization from where it stands today. And so the skills needed for the former security leader are very different than the skills that are needed today. I can't be tactical on a day-to-day basis. I have to be more strategic. I need to have the capability to talk to senior leaders in the company to drive the type of change that we need to help make the company more secure.

To be effective, you also need a high level of emotional maturity. You might not always be the smartest person in the room and you have to learn to be comfortable with that. There are going to be other people who are smarter. In the end, it’s all about getting things done and developing influence. That's a skill set very different than perhaps what you might see in a typical hands-on security engineer.