Senior Director, Information Security
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with David Nolan, Senior Director of Information Security for Aaron’s. Nolan shares some unique insights about public-private sector collaboration, two goals that today’s CISOs must achieve, and ways to both maximize your talent pool while also tackling cybersecurity diversity issues.
Cybersecurity and privacy concerns have become more publicly visible, and this visibility has led to a better general understanding about these areas. Today, many people in both their work and private lives more often think about privacy and security. This public awareness has also led to more focus and collaboration in government around cybersecurity and privacy, encouraging discussion at a federal level. Naturally, getting legislators focused on cybersecurity has led to better protection for consumers. But this national dialogue has also brought more awareness to the impact on the private sector of various government actions—or lack of action—tied to cyber and privacy. Of course, generating this awareness is one of the NTSC’s main goals.
As even non-technical private sector executives have become more aware and informed about cybersecurity, they have formed closer relationships with our elected representatives, conversed more deeply with them about cybersecurity, and driven more informed national-level policy (and not just state-level policy). Over the past year, we’ve seen much more open collaborative dialogue, which is really a win for all sides—government, business, and the cybersecurity industry.
On the improvement side, a lot of it comes down to open and anonymous collaboration. The issues tied to public-private cyber threat intelligence sharing come down to perceptions. First, there is a perception on the private sector side that sharing with the public sector can hurt companies, potentially lead to regulatory pain, or get them in trouble if they have a security event. Second, there is a perception that the public sector doesn't share or add value to the information they share due to confidentiality or other reasons.
I'm a proponent of public-private partnerships and have participated in several throughout my career. Establishing relationships early, before you have a crisis, goes a long way toward improving the perception that there are negative repercussions in collaborating with the private sector during an incident. When someone initially needs the assistance of the FBI or the Secret Service is not the right time to be making your first introduction. Creating those relationships ahead of time eases the information sharing, improves the relationship, and makes their help more effective.
The value perception starts with expectation setting. When you engage entities such as the FBI and Secret Service, there are scenarios where they can help you and scenarios where they cannot help you. Educating yourself about the government's role in information sharing is really important. Private-private information sharing, such as through the ISACs, is also a strong collaboration option to help various industries as long as anonymity is tied to the information shared.
Overall, information sharing and collaboration between the government and those trying to defend networks is always going to be a good thing. Any way we can improve this collaboration will enhance security for all of us.
It depends on the level of information sharing you're expecting. You can receive a lot of value out of a public-private relationship without getting your own clearance or having higher-level access. For example, just having a cursory relationship with the FBI where they talk to your organization and give you perspective about what's going on in the world is helpful. The reverse is true where you can come to them and say, “Theoretically, if I saw something like this, is it a concern?” or “I'm seeing this type of activity, so what else should I be looking for?” While they may not always be able to share things back with you, your information may allow them to come back and say, “Make sure you're blocking these IPs or looking for these other DNS entries.” That type of collaboration can be very valuable without going the full route of security clearances and access to classified information. Depending on the amount of effort you're willing to put into the process, there is a level of gain you can receive at all levels of the public-private information sharing spectrum.
Much of the CISO’s role development started and still exists within various industry segments as a compliance and protection arm. This was often achieved by being a gate and approver for everything cybersecurity. Then we saw the transition to security “enabling the business” and providing security risks to the business, which is still important, but I think we've even started to mature beyond that goal. Today, the CISO focuses on building relationships, leading change, and representing and consulting on all types of business risk.
If you fully adopt the mindset of a servant leader, then the success of building relationships is highly important like any leader—especially those relationships with IT and the legal side of the organization. Building those relationships to ultimately make collaboration more successful and lower the friction when it comes to having hard conversations—raising issues and risks—is key. Like the public-private partnership example, you need to build these relationships and get to know people before a crisis happens.
One benefit I’ve found to these relationships is that a CISO understands a lot of things going on within the business and gets seen as someone “in the know.” For example, you can tell IT that another part of the business is looking into technology that they may be in the dark on. This insight about the business becomes a surprise value the CISO brings to an organization and can aid in relationship building.
Highlighting visibility of risk is also a key aspect of a CISO’s role. It's not just about raising problems. Instead, the CISO needs to talk about risk in terms of the company's specific business and risk tolerance with the right players in the business so that decisions about risk become business decisions. Ultimately, CISOs advise on impact, risk reduction, and alternatives by providing all the various pieces of information that business leaders and executives need to make those decisions.
By building on these, the CISO’s role continues to evolve. I think the CISO is going to move toward becoming a kind of key risk advisor throughout the business. As they build on their relationships and become part of business decisions about risk, people will more often come to the CISO asking for their opinion—not just because they want to know if something is secure but more for the CISO’s knowledge of the business and how risk decisions can impact it. The reason I think the CISO’s role will evolve toward these goals is because the same skillset we apply to security and technology can be applied to the risks associated to the business.
While we can always create a laundry list of CISO skills, two main soft skills are most important. First, a CISO needs business acumen beyond technical ability. Many in the security leadership world come from technical backgrounds, and it's not always natural for technical people to interpret business and identify risk in business terms. Second, a CISO needs analytical skills with the ability to interpret and discuss risk in areas where they have no experience. As a risk advisor, a CISO will face many scenarios and situations where they have no experience but they will be able to apply their learnings over the years, interpret the situation, and ultimately communicate the risk back to the appropriate level of the business.
It starts with the public. It’s great that people are becoming more aware of privacy concerns related to their own data, the importance of protecting their personal data, and what companies collect about them. Overall, public opinion leans toward acting on data privacy at the individual consumer level. This leads to a lot of action at the state level which, from a private sector perspective, adds confusion and a lot of additional expense and overhead in the absence of a national policy. This situation ultimately drives many CISOs to call for a national data privacy law.
Of course, many caveats exist related to what would make a good national privacy law, as the NTSC has often discussed. The concepts and trends reflected in these discussions are driving privacy to become a core part of the business. If companies start to treat privacy not just as a compliance matter but as part of the core business as public perceptions shift, then data privacy potentially becomes a business differentiator for companies. It will bolster brand perceptions because the public will more often look for companies that keep their data private.
There are many ways to improve diversity. Here are two ways I recommend. First, broadly, diversity starts with CISOs and companies building a brand and culture of inclusivity. Those are table stakes. This is not only important for perception but also for bringing diverse viewpoints and experience into a company.
Second, we need to ensure that we consider all sources of talent beyond the traditional. Even if you're not primarily focusing on diversity but addressing your overall talent shortfall, this process can still be valuable. I think we have an overdependence on wanting deep experience from cybersecurity employees that can ultimately cause this perception of a shortfall. Instead, talent could exist in many unconventional areas. For example, look at non-traditional roles feeding your security talent pipeline. In my opinion, project managers are great for GRC. Developers are great as security engineers or for OpSec. DevOps people are great in your SOC or endpoint security team. We've had huge successes on our team bringing in people without traditional security experience who are truly curious, inquisitive, analytical, and have a background that shows a lot of potential.
Also, where are you going for your talent pool? It's important to build relationships with diverse organizations, dip into talent pools, and promote diversity prior to ever needing people. How can you help drive interest in technology and cybersecurity with these groups, especially if it's a group or school that maybe doesn't have that exposure today? When you start creating those relationships and focusing on benefiting the community, you actually receive the benefit of associating your brand with efforts that drive diversity and inclusion. You'll be seen as an employer who is proud to grow and seek diverse talent, both in the community and on the job.
Build relationships and ultimately recruit at schools that are traditionally more diverse. Don't just go to “the school you are used to recruiting at.” Branch out. Take an advisory role if a school doesn’t have a cyber program or exposure to cybersecurity. Build it. Be part of the solution as much as you seek to pull from these talent pools.
On the education side, we've had internship success with Year Up and similar organizations. Then, of course, there are diversity-specific organizations—both industry-specific and more general—such as Minorities in Cybersecurity, Women in Technology, and, in Atlanta, REFACTR.TECH conferences, Women Who Code, People of Color in Tech, etc. We’ve seen success partnering with such organizations, and there are many more. But getting involved with those organizations means making sure your internal business resource groups or affinity groups are aligned with them. Use those groups, communities, and conferences as part of your recruiting—and don’t just rely on traditional recruiting fairs or posting jobs on the internet. That’s not enough. Of course, there are many great industry groups, especially in Atlanta. For public-private groups, InfraGard is a great one—I'm a big proponent of them. There is also ISSA, ISACA, and many other industry groups to look at as well.
To summarize, companies must branch out, really put effort into finding additional talent pools, and link with groups that they maybe don't have relationships with today. Think about it as a long-term investment in the community. For example, Aaron's donates money to Morehouse College for a number of scholarships. If companies tap these networks only when they have a need, they are going to be far less successful than if they create a long-term relationship. That's our civic duty as companies—investing in the community and in those students who could potentially later on be our employees.