CISO Conversations

Conversation with Helen Patton, CISO, Ohio State University

Back to list
Helen Patton, Ohio State University

Helen Patton

Ohio State University


What do you see as the most significant positive steps that government, business, and the security industry have made in the past 24 months to improve cybersecurity?

The first thing I would point to is the increased collaboration between organizations. Some of that can look like the ISATs between different industries, but some of it can also take place within certain verticals. Here, the security teams talk to one another more often within a certain vertical like we do in higher ed.

Increased collaboration can also take the form of security companies banding together and focusing on certain issues to solve for particular threats. Probably the biggest positive from a business point of view is that collaboration has come a long way to improve how we are responding to cybersecurity threats that we examine.

In terms of government support, what I see from some of our defense agencies is a greater willingness to support private industry and other government sectors as opposed to being punitive. There is still a little bit of work to be done in that space, but it’s certainly a positive trend.

What impact has the Internet of Things had on cybersecurity planning and how has it affected your approach to operational and physical security?

This may seem counterintuitive, but the Internet of Things has not yet changed our security teams's operations significantly. As we've done with other kinds of assets, we still evaluate IoT assets to understand the risks they introduce to an organization. Where we own IoT devices, we look to certain controls and techniques to protect and defend those devices from attacks.

If anything, the challenge has been the sheer volume of IoT devices. They're showing up in weird and wonderful places. Being able to do the initial risk assessment is sometimes challenging, but I don't think it has changed what we've done at a macro level—at least not just yet.

I think where my experience as a higher education CISO might be a little bit different than my general business counterparts is that we've been dealing with things similar to IoT for a really, really long time. When you think about research, we have exercise bikes here that have been internet-enabled forever. We've got telescopes that have been internet-enabled forever. I've got a washing machine with an IP address that's been around forever.

How can CISOs effectively deal with “shadow IT resources,” those non-sanctioned business resources that often bypass official channels to deploy technology?

First, you have to look at the humans operating the devices. There has to be a significant effort to avoid just telling people what to do because people will always do the easiest thing even if it is not the most secure thing. But you have to engage people who are advocates of security, not just tolerators of security. Teaching the people who would use or bring these devices into our environment what the security around those devices means is a really big piece of security.

Second, when you have these independent resources connected to your networks as opposed to a managed device, it's important to identify that pretty quickly. More holistically (and this is more of an IT issue than a security issue), if you're providing IT services that satisfy the needs of people, they will be less likely to bring something additional into the space. You've got to focus a little bit more on the usability and customer-facing UX of the services you already provide so people don't feel the need to go around you.

With threats becoming more organized and frequent, how much emphasis needs to be placed on end user behavior modification rather than just security awareness?

I think they're two sides of the same coin. I'm not sure you can say that user awareness and education is significantly more important than a sound security strategy. I do think it is more important than the tools, actually. But from my experience, if you can provide a security tool that people can use in a seamless way without it seen to interfere with day-to-day tasks, it can have a powerful impact.

This is also true with something as straightforward as password management. For example, increasing the frequency of password changes actually makes people less secure instead of more secure. If you can provide a tool that's invisible to them and makes them more secure, great. Do it. Or implement one they enjoy using. I haven't found that one yet, but it’s a great idea, right?

But it can't be just one or the other. To me, it's actually quite a balance of both—the awareness in addition to the tools.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

For me, the CISO role has changed because the executives of the firm, the board members of the firm, and the shareholders have become more aware of this particular issue. And those individuals don't know how to think about security. Unlike a CFO where everyone who goes to business school has taken finance and accounting classes, there's a baseline understanding. By contrast, hardly any of these execs have taken security training. They don't know how to think about it, and it's scary to them.

I see the role of the CISO still having one foot in the IT operational space when you think about the tools and systems implemented to provide protection or detection. But a significantly bigger portion of the CISO role is now more like an organizational translator of security threats into what they really mean to the business. I see that continuing.

The CISO role is transforming from being considered as an IT job to a business management job that happens to use IT to solve a problem but is not exclusively IT. By the way, that's just like every other business function in an organization. I see security executives coming out from underneath the CIO. I see them having a C-level role. I see them sitting on boards more often than not.

So, it follows that all those CISO skill sets need to change accordingly, right? It's about the ability to communicate and influence. There still needs to be an understanding of technology, but I can see the CISO career path still coming through a technology space. But their job is not to be an IT operations manager anymore. That's how I see it changing.