In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Elizabeth Joyce, Senior Vice President and Chief Information Security Officer of Hewlett Packard Enterprise Services. Joyce talks about the necessity of a strong public-private partnership to improve cyber threat intelligence sharing, why we need a federal data privacy law, and how the role of the CISO will evolve as digital transformation impacts companies.
Overall, a lot of positive change has occurred recently to improve national cybersecurity standards. NIST’s work developing standards— which are not only adopted in the US but also by many global companies—is a major positive step. As such, NIST provides a common mechanism for organizations—including government agencies and trade groups—to work together, affect change, and align on standards. That’s a significant improvement, but there is more work to do such as evolving version 1.1 of the NIST Cybersecurity Framework and continuing discussions around version 1.0 of the NIST Privacy Framework. We must drive standards that are practical to implement but flexible enough so that different entities that leverage them can align and create common baselines. As a result, we are all better protected.
From my perspective at Hewlett Packard Enterprise, our Chief Privacy Officer and I certainly have a very tight relationship—both operationally and in looking at regulations. We constantly ask ourselves how we align so that we can quickly assess and respond to data privacy situations. Concerns about data privacy resulted in legislation such as the California Consumer Privacy Act (CCPA) and regulations such as GPDR. We must be incredibly pragmatic going forward so that we put the right protections in place around privacy.
For the US, we may possibly end up with 50 states each creating their own privacy policies, similar to what happened with data breach notification legislation. That’s not optimal. Such laws will generate a lot of complexity, making it hard on consumers to understand why the rights that protect them differ depending on where their data is located. Too many laws also overcomplicate compliance. We need to focus on passing a federal privacy law that ensures the best optimal results—protecting the consumer in a consistent, transparent way and allowing organizations to respond quickly and appropriately to data privacy requests and violations.
We’ve made progress over the years, a lot of it beginning with the 2015 Cybersecurity Information Sharing Act that set up a framework to help organizations better share threat intelligence. Historically, distrust has existed between the public and private sectors. However, the public sector has access to data the private sector lacks, and private industry owns large segments of the internet and critical infrastructure. Both need to share information so that we better understand the adversary, quickly react, and formulate strategies in a united way.
Implementing frameworks and structures that give organizations a better ability to share information with more transparency and clarity is important. We've seen through organizations such as the ISACs that, when everyone shares information, we can respond better and faster to cybersecurity threats. And to share threat intelligence as transparently as possible, trusted relationships are important.
This problem is not easy to solve, but we must keep our focus on it because we cannot continue on our current path. At the moment, it’s positive that we see a genuine and real recognition of good intent from the public and private sectors, but we need to do much more with our efforts to increase what we share and how fast we share it.
The role of the CISO has changed a lot over the years. Previously, CISOs generally arrived from one of a few different backgrounds such as IT, the military, or compliance. The CISO role itself was often seen as either an extremely technical or compliance role. The security organization, and therefore the CISO role itself, was often buried within IT.
Today, a more heightened awareness of cyber threats exists as stories appear frequently in headlines and incidents impact companies. As a result, companies and boards have elevated the CISO role to more of a C-suite role as they realize how cyber threats impact the entire business. CISOs must be strategic and not just tactical in how they respond to cyber threats, business-enabling yet also technical, understanding the complexities of these threats and directing solutions and controls in response. Additionally, CISOs must speak the business’s language, explaining the risk and what can be done in layperson's terms.
As a result, the CISO role is far more encompassing than ever before and requires a broad skillset. Most important is the CISO’s communication skills because they must communicate technically to lead a technical team, define and communicate security policies to a large organization, and communicate business risk in business terms to the leadership of the organization.
Cybersecurity is also still a fairly new profession, making the CISO role even more challenging. Unlike law or medicine, no clearly defined paths or standard profiles exist. As the role evolves, I don't see the expectation of needing a broad skillset changing except to broaden. With AI, machine learning, IoT, zero trust, and other issues rapidly emerging, a CISO must examine, understand, and deal with them—both in the present and thinking ahead to the future. CISOs are expected to look ahead, understand the possibility of risks and threats in emerging areas, and adapt to them. Especially with the trend of digital transformation spreading across the globe for many companies, CISOs really must understand their organization’s business goals and objectives, the transformation process, and how to adjust their security strategy to protect the organization during the transformation—ending up with the sort of optimal secure digital environment that the organization envisioned.
So, while the role of the CISO has definitely changed, I would say that for most CISOs today, that's why they do the job. They love the challenge—the view of not only doing something important in the here and now but also having to always look toward the future.
Diversity is not only a technology industry issue but also a security industry issue. We need to minimize barriers and encourage more women and underrepresented minorities to join the field. And it must feel like an equal playing field regarding pay, treatment, and respect. We must also address how we deal with biases, whether social or institutional, conscious or unconscious. For example, unconscious bias can occur when teachers and parents steer kids toward a particular toy or subject in schools. It’s important to approach the diversity problem from multiple levels.
As I’ve progressed in my career, I’ve increasingly appreciated the need for role models. Whether women or underrepresented minorities, these people must serve in senior and technical positions to act as role models for kids. If we want to open up our pool of candidates, younger kids must be able to see themselves in a role and aspire to it. That's really important. Also, having people in those senior positions means you bring diversity into the group that defines and drives recruitment and career development processes. It's important that diversity of thought exists with that group.
Beyond the internal organization, it's incredibly important to support diversity in the broader community. For example, we have done multiple initiatives including working with Girl Scouts Nation's Capital on cybersecurity and robotics patches so that girls become interested in cybersecurity and STEM. We also host activities such as code wars with high school-aged kids. Companies can work with external organizations to continuously drive more awareness, capabilities, and resources at a local or national level in order to encourage diversity and offer opportunities.
Within organizations, CISOs need to hold themselves accountable about diversity—staying aware of this issue, setting up structures around career paths, enabling job rotations, and making hiring simple to provide cybersecurity exposure. As I mentioned earlier, cybersecurity does not necessarily have a professionally defined career path. Making the time and effort within your own organization to define a path and create that clarity allows people to see how they can achieve specific cybersecurity career goals. It's a multipronged approach, and I really think a CISO must do it all if we are going to make an impact.