CISO Conversations

Conversation with Bob Varnadoe, CISO, NCR Corporation

Back to list
Bob Varnadoe, NCR Corporation

Bob Varnadoe

NCR Corporation


In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Bob Varnadoe, Chief Information Security Officer of NCR Corporation, about important cybersecurity legislation advanced in the past year, the need for speed with cybersecurity threat intelligence exchange, and ways to address both diversity issues and the talent shortage within the cybersecurity industry.

What do you see as the most significant positive steps that government, business, and the security industry have made in the past year to improve national cybersecurity standards?

At the end of 2018, Congress passed and President Trump signed a law that created the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). I think that law was a big step forward for DHS in formalizing the cybersecurity initiatives they already had in place, and the creation of CISA consolidated these initiatives into a more cohesive strategy moving forward.

I also think the bipartisan Cybersecurity Advisory Committee Authorization Act of 2019 bill floated in the House in March 2019 was also important. If passed in its current form, this bill will establish an advisory committee of 35 cybersecurity professionals from across industries to provide the Director of CISA and the Secretary of DHS guidance on cybersecurity policy and rulemaking. Having professionals from the private industry provide advice to CISA will be beneficial on many different levels, further opening the dialogue between the private and public sector while also better informing policymakers in Washington and practitioners within DHS.

On the private sector side, going back a bit further in time, the pervasiveness and nature of WannaCry in 2017 created a lot of awareness worldwide within companies across many industries. Before WannaCry, many companies probably did not understand the importance of good cyber hygiene, such as patching and using antivirus. While a terribly destructive and impactful attack, there was some good in that WannaCry created more cyber awareness that benefited companies both large and small around the world.

Post GDPR, privacy has become more of a concern in the U.S. in the wake of various widely publicized data breaches and scandals. How do you think a shift in thinking about national data privacy policy may impact CISOs moving forward?

An intersection exists between privacy and security, but they're very different professions with very different sets of requirements and objectives. Part of the complexity that comes out of privacy is a patchwork of international regulations. Privacy laws spring up in practically every country across the globe and they are becoming pervasive.

In some ways, what's happening internationally with privacy mirrors what we’ve seen in the US with state data breach notification laws. For international companies like NCR, these laws create a lot of complexity for CISOs to learn, understand, and meet the objectives of various pieces of legislation around the globe. It’s inevitable that as CISOs go forward, more and more of what we do will intersect with privacy and, at the very least, force us to be cognizant of privacy expectations because new rules will likely arrive on a regular basis for years to come.

What are some ways that you believe public-private sector cyber threat intelligence sharing can be improved, and what are the obstacles?

Speed is the number one aspect of intelligence sharing that needs improvement. The federal government needs to declassify and sanitize threat data faster so that indicators of compromise, IP addresses, hashes, and other intelligence is still relevant to us when they share it. In the private sector, we need to create a viable mechanism for companies to share threat intelligence data. That may include both a clearinghouse to help accomplish that sharing and mechanisms internal to a company to make that sharing practical. This would ensure it doesn't take a large staff of people to create and upload those indicators into the clearinghouse.

We are privileged as a member of the FS-ISAC, which boasts a mature, sophisticated indicator sharing program where we ingest pieces of intelligence into our detection and response efforts. While productive and useful, even the FS-ISAC is still limited by the federal government’s speed of declassifying indicators. We’re still able to get value out of this information despite a longer time lapse, but I feel certain that indicators provided to us were available on a classified basis prior to us getting access to them through FS-ISAC or DHS.

How has the role of the CISO changed over the last 3-5 years? How do you see it changing over the next five years? What do these changes mean for the needed skill sets of a CISO?

Over the last three to five years, the CISO community has focused more on developing business savvy. The expectations that CISOs can operate alongside business leadership and communicate to boards is well ingrained at this point. In the future, these expectations will only grow in importance. Going forward to help the business succeed, CISOs need to balance technology and business, translating security material into business material as we become intermediaries between these two vital functions.

I believe CISOs need enough technical knowledge to provide direction and guidance to their teams. Again, balance is important. If a CISO is too technical, you run the risk of not communicating well with business leadership. Too little technical understanding, and you underserve the security organization.

As the security industry wrestles with a worldwide talent shortfall of approximately 3 million cybersecurity professionals, diversity has emerged as a serious problem for CISOs to address as women and minorities either quickly leave the industry or never become interested in it. What are some ways you believe we can address diversity issues within the security industry?

We need to address both diversity itself and create a large enough pool of talent to satisfy the growing demand for cybersecurity professionals. As an industry, we must find ways to engage women and minorities in middle school and high school. There, we need to educate them about cybersecurity as a profession—that it is a viable career and an opportunity for professional and personal growth. In fact, we need to create awareness that cybersecurity even exists as a profession because, at the middle school and high school level, not enough students even know it's an option.

I am very passionate about a national workforce development program that I became involved in last year called Year Up. Its goal is to bridge the gap that exists related to career opportunities for 18- to 24-year-olds, particularly for urban youth, and create technology careers for them through a year-long program involving classroom training and an internship. Last year, they created a cyber program in Atlanta and I've been working with them since they started. It's an impactful program that tackles diversity and helps expand the pool of cybersecurity workers.

If we look at the problem holistically, the volume of talent coming out of traditional college programs just isn't enough to satisfy demand. Not enough cyber professionals come out of four-year degree programs. So, while colleges serve as an important source of cyber talent, we need to create more options than just the traditional four-year degree path. Year Up does a great job addressing that problem and provides an opportunity for CISOs to give back to the community, address an industry problem, and get their company exposed to motivated, young, diverse, talented people who can really drive a company’s security initiatives.

What’s an interesting trend in cybersecurity right now for you?

The industry has woken up to the fact that it’s just not possible to prevent all attacks. We must recognize that some will get through the defenses we establish, and we need to focus more on detecting attacks faster.

Technology can solve some of this challenge, but it also requires new processes. Threat hunting is very important for companies to focus on, whether through a managed service, periodic third-party engagement, or building the capability internally. Being able to find malicious activity in a company’s environment as early as possible and contain any damage before it spreads is a critical capability moving forward.