CISO Conversations

Conversation with Don Boian, Cybersecurity Outreach Director, Huntington National Bank

Back to list
Don Boian, Huntington National Bank

Don Boian

Huntington National Bank

Cybersecurity Outreach Director

In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Don Boian, Cybersecurity Outreach Director at Huntington National Bank, about how CISOs can encourage more diversity in their teams, obstacles preventing effective public-private sector cyber threat intelligence sharing, and the need for a national dialogue addressing data privacy in the US.

As the security industry wrestles with a worldwide talent shortfall of approximately 3 million cybersecurity professionals, diversity has emerged as a serious problem for CISOs to address as women and minorities either quickly leave the industry or never become interested in it. What are some ways you believe we can address diversity issues within the security industry?

I'm incredibly passionate about this topic and it’s a central focus of my new role as Cybersecurity Outreach Director. I am a firm believer in cybersecurity diversity for two reasons. First, we need diversity in thought to solve difficult, challenging cybersecurity problems. One of the best ways to get diversity in thought is with a diverse workforce with diverse experience and backgrounds who looks at things differently.

That's one prong, but you also mentioned the talent shortfall. We are staring at a significant gap in this area. I look first and foremost to some of the underutilized or underrepresented areas in our profession where we absolutely must figure out a way to engage women and minorities to get them more involved in cybersecurity. To do that, we need to engage talent earlier in the process. Waiting until people are in college or even high school is too late. We need to have age-appropriate conversations in middle school about what a career in cybersecurity looks like and get them interested in it early. That's one of the reasons why Huntington invited 62 Girl Scouts on a Saturday morning to help them get one of their cybersecurity badges.

We need to develop programs like that to engage kids. Unfortunately, these actions will not create a short-term win. We need to play the long game here and absolutely figure out why the cybersecurity workforce is only 11 percent female. We need to figure out the causes of this problem, change our messaging, change the way we look at the problem, and figure out a better way to engage this talent. It’s an untapped resource that we're not engaging appropriately.

Also, I think we've been a little elitist in our cybersecurity positions. When CISOs look for cybersecurity professionals, they often want someone with a four-year degree and five years of experience. That's not the only way to go. There are portions of cybersecurity that motivated, technically trained high school graduates can do to get into this field. We need to figure out how to create apprenticeships and co-op programs specifically around cybersecurity to get people engaged early.

Cybersecurity is an exciting industry, and somehow the messaging just isn’t getting out.

Yes. We need to boil cybersecurity down to the core skills and stop leading with things like saying you need experience in Security Information and Event Management (SIEM) or other technical capabilities. Start saying, “I need people who are inquisitive and love solving problems.” Stop hiding behind excessive requirements mandating that people need all sorts of technical credits. We can teach some of the technical aspects, but we can't teach natural critical thinking and problem-solving skills as easily.

How has the role of the CISO changed over the last 3-5 years? How do you see it changing over the next five years? What do these changes mean for the needed skill sets of a CISO?

Companies continue to elevate the CISO role. It's moved away from just being a technical cybersecurity role and become much more of a business and risk management role replete with reporting requirements to CEOs and boards. We’re starting to see that transition happen more.

I think CISOs need both technical and business knowledge, but not necessarily from the same person. CISOs can delegate more technical tasks to a security operations director who can run the day-to-day security of the organization. Overall, the softer skills help the CISO become more of a business leader and less of a technical-focused leader. While both sides are necessary in the organization, we’re starting to see those roles separate to some extent.

What do you see as the most significant positive steps that government, business, and the security industry have made in the past year to improve national cybersecurity standards?

I’ve seen an increase in collaboration. Many more ISACs, government organizations, and, for lack of a better term, quasi-government organizations are sharing more information and collaborating on problems. Today, most CISOs are very interested in a collaborative defense model. If we’re each left to defend our little piece of network territory by ourselves, we won't win. Bad guys collaborate with each other all the time, sharing tools and capabilities. To respond, we’re starting to see a lot more threat and information sharing from an industry sector perspective—and the government is coming along although they still have a ways to go. After spending 30 years in the government during my career, I feel a lot of capability exists there that needs more sharing with private industry.

What are some ways that you believe public-private sector cyber threat intelligence sharing can be improved, and what are the obstacles?

The biggest obstacle to sharing right now rests mostly with the liability side of things. Private industry is reluctant to share specific information about what they're seeing and what threats are targeting them for fear that this information will be used as part of litigation or a weapon against them in some way. Today, many organizations have a victim mentality toward cybersecurity. We're reluctant to share the fact that we've been hit with a smishing campaign, large scale phishing attack, a DDoS attack, or other incidents because of the liability associated with them. I think we need to get past that mentality and stop blaming the victim.

Instead, we need to get to the point where it’s common practice for organizations to share information and say, “Hey, this is what I'm seeing. You need to protect yourself against this threat too.” I think people will gravitate toward either an industry-based or regional-based sharing center depending on what makes sense for them. Then we can federate and tie all those together. That's the way ISACs are modeled and those sharing centers seem to work well. In financial services, where I operate, this industry has a relatively mature ISAC model.

What do you feel that other industries can learn from the financial services sector about cyber threat intelligence sharing?

From a sharing perspective, it's not just about sharing indicators of compromise (IoCs) typical of ISACs. There are multiple other layers of sharing, of which I’m appreciative, such as information from the threat actor perspective that’s a bit more strategic. And during the last year or two, I've started seeing the sharing of playbooks such as a malware playbook showing how a financial services company detects, mitigates, and takes care of malware. It doesn't take much to receive a playbook from an organization to implement similar security orchestration. Obviously, a playbook will be tailored specifically for that organization, so an organization must be able to duplicate that tailoring for their environment. Playbook sharing is a fascinating collaboration going on right now.

The NTSC recently published a whitepaper about collective defense and how DHS evolved its services in 2018. What are your thoughts about these efforts on behalf of DHS to connect better with CISOs?

One area needing room for improvement from the government's side is getting DHS to the point where it's the mouthpiece for the rest of the government. In other words, DHS can reach back into the FBI Cyber Division or intelligence agencies (while maintaining national security classifications) and present that information as a front for the rest of the government. That involves the maturity of their organization and it will take them a while to get there. Right now, I think they're evolving but I'm hoping they will soon leverage a large amount of the capabilities and knowledge that exist in those other places.

Post GDPR, privacy has become more of a concern in the U.S. in the wake of various widely publicized data breaches and scandals. How do you think a shift in thinking about national data privacy policy may impact CISOs moving forward?

The statement “national data privacy” is telling, and I see one of two things happening related to it. One, we continue to allow states to set the standard, which is fine but can become a CISO’s nightmare if 50 different states legislate 50 different regulations, policies, and notification requirements when many companies do business nationwide. Also, we hopefully come together as a nation and preempt these possible state laws with a national data privacy and notification regimen which would protect the data of US citizens and give them some uniform legislation and regulation. Clearly, that would be the preference from both a private citizen perspective and a CISO’s perspective.

How do you see the US approach differing from GDPR?

As a society, the US hasn’t had enough of a conversation about data privacy. Businesses and citizens haven't come to terms with what they want from a data privacy regulation. On one hand, citizens want their information protected. But they also want fancy analytics behind the scenes to help them shop better. We can't have it entirely both ways and we need a more mature dialogue to determine what we as a nation want. I don't necessarily think a carbon copy of GDPR in the US is the right way to go—and US businesses would not likely support it.

If I'm going to offer the best services to my customers, I can't have a GDPR approach with such strict guidelines. However, we are seeing stories coming to light about social media companies sharing data behind the scenes without explicit consumer permission. This causes some citizens to say, “Maybe I should pay a little more attention to this privacy thing.” We need a national dialogue to determine the US “ethos” around data privacy.