Cybersecurity Outreach Director
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Don Boian, Cybersecurity Outreach Director at Huntington National Bank, about how CISOs can encourage more diversity in their teams, obstacles preventing effective public-private sector cyber threat intelligence sharing, and the need for a national dialogue addressing data privacy in the US.
I'm incredibly passionate about this topic and it’s a central focus of my new role as Cybersecurity Outreach Director. I am a firm believer in cybersecurity diversity for two reasons. First, we need diversity in thought to solve difficult, challenging cybersecurity problems. One of the best ways to get diversity in thought is with a diverse workforce with diverse experience and backgrounds who looks at things differently.
That's one prong, but you also mentioned the talent shortfall. We are staring at a significant gap in this area. I look first and foremost to some of the underutilized or underrepresented areas in our profession where we absolutely must figure out a way to engage women and minorities to get them more involved in cybersecurity. To do that, we need to engage talent earlier in the process. Waiting until people are in college or even high school is too late. We need to have age-appropriate conversations in middle school about what a career in cybersecurity looks like and get them interested in it early. That's one of the reasons why Huntington invited 62 Girl Scouts on a Saturday morning to help them get one of their cybersecurity badges.
We need to develop programs like that to engage kids. Unfortunately, these actions will not create a short-term win. We need to play the long game here and absolutely figure out why the cybersecurity workforce is only 11 percent female. We need to figure out the causes of this problem, change our messaging, change the way we look at the problem, and figure out a better way to engage this talent. It’s an untapped resource that we're not engaging appropriately.
Also, I think we've been a little elitist in our cybersecurity positions. When CISOs look for cybersecurity professionals, they often want someone with a four-year degree and five years of experience. That's not the only way to go. There are portions of cybersecurity that motivated, technically trained high school graduates can do to get into this field. We need to figure out how to create apprenticeships and co-op programs specifically around cybersecurity to get people engaged early.
Yes. We need to boil cybersecurity down to the core skills and stop leading with things like saying you need experience in Security Information and Event Management (SIEM) or other technical capabilities. Start saying, “I need people who are inquisitive and love solving problems.” Stop hiding behind excessive requirements mandating that people need all sorts of technical credits. We can teach some of the technical aspects, but we can't teach natural critical thinking and problem-solving skills as easily.
Companies continue to elevate the CISO role. It's moved away from just being a technical cybersecurity role and become much more of a business and risk management role replete with reporting requirements to CEOs and boards. We’re starting to see that transition happen more.
I think CISOs need both technical and business knowledge, but not necessarily from the same person. CISOs can delegate more technical tasks to a security operations director who can run the day-to-day security of the organization. Overall, the softer skills help the CISO become more of a business leader and less of a technical-focused leader. While both sides are necessary in the organization, we’re starting to see those roles separate to some extent.
I’ve seen an increase in collaboration. Many more ISACs, government organizations, and, for lack of a better term, quasi-government organizations are sharing more information and collaborating on problems. Today, most CISOs are very interested in a collaborative defense model. If we’re each left to defend our little piece of network territory by ourselves, we won't win. Bad guys collaborate with each other all the time, sharing tools and capabilities. To respond, we’re starting to see a lot more threat and information sharing from an industry sector perspective—and the government is coming along although they still have a ways to go. After spending 30 years in the government during my career, I feel a lot of capability exists there that needs more sharing with private industry.
The biggest obstacle to sharing right now rests mostly with the liability side of things. Private industry is reluctant to share specific information about what they're seeing and what threats are targeting them for fear that this information will be used as part of litigation or a weapon against them in some way. Today, many organizations have a victim mentality toward cybersecurity. We're reluctant to share the fact that we've been hit with a smishing campaign, large scale phishing attack, a DDoS attack, or other incidents because of the liability associated with them. I think we need to get past that mentality and stop blaming the victim.
Instead, we need to get to the point where it’s common practice for organizations to share information and say, “Hey, this is what I'm seeing. You need to protect yourself against this threat too.” I think people will gravitate toward either an industry-based or regional-based sharing center depending on what makes sense for them. Then we can federate and tie all those together. That's the way ISACs are modeled and those sharing centers seem to work well. In financial services, where I operate, this industry has a relatively mature ISAC model.
From a sharing perspective, it's not just about sharing indicators of compromise (IoCs) typical of ISACs. There are multiple other layers of sharing, of which I’m appreciative, such as information from the threat actor perspective that’s a bit more strategic. And during the last year or two, I've started seeing the sharing of playbooks such as a malware playbook showing how a financial services company detects, mitigates, and takes care of malware. It doesn't take much to receive a playbook from an organization to implement similar security orchestration. Obviously, a playbook will be tailored specifically for that organization, so an organization must be able to duplicate that tailoring for their environment. Playbook sharing is a fascinating collaboration going on right now.
One area needing room for improvement from the government's side is getting DHS to the point where it's the mouthpiece for the rest of the government. In other words, DHS can reach back into the FBI Cyber Division or intelligence agencies (while maintaining national security classifications) and present that information as a front for the rest of the government. That involves the maturity of their organization and it will take them a while to get there. Right now, I think they're evolving but I'm hoping they will soon leverage a large amount of the capabilities and knowledge that exist in those other places.
The statement “national data privacy” is telling, and I see one of two things happening related to it. One, we continue to allow states to set the standard, which is fine but can become a CISO’s nightmare if 50 different states legislate 50 different regulations, policies, and notification requirements when many companies do business nationwide. Also, we hopefully come together as a nation and preempt these possible state laws with a national data privacy and notification regimen which would protect the data of US citizens and give them some uniform legislation and regulation. Clearly, that would be the preference from both a private citizen perspective and a CISO’s perspective.
As a society, the US hasn’t had enough of a conversation about data privacy. Businesses and citizens haven't come to terms with what they want from a data privacy regulation. On one hand, citizens want their information protected. But they also want fancy analytics behind the scenes to help them shop better. We can't have it entirely both ways and we need a more mature dialogue to determine what we as a nation want. I don't necessarily think a carbon copy of GDPR in the US is the right way to go—and US businesses would not likely support it.
If I'm going to offer the best services to my customers, I can't have a GDPR approach with such strict guidelines. However, we are seeing stories coming to light about social media companies sharing data behind the scenes without explicit consumer permission. This causes some citizens to say, “Maybe I should pay a little more attention to this privacy thing.” We need a national dialogue to determine the US “ethos” around data privacy.