CISO in Residence
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Jesus Montano, CISO in Residence on the NTSC Board of Directors, about the shortfalls of cyber threat intelligence sharing, the nuances of data privacy, the cybersecurity workforce shortage, and the evolving role of the CISO.
A level of awareness and questions raised by government officials in the public sector in terms of their own personal data losses has bubbled up to a critical level. In the past, breaches and issues occurred in all kinds of different industry sectors but I don't think it got to a point where people felt personally affected. Now, people have started to associate data breaches with the potential effects on them.
Organizations such as the NTSC that are trying to broaden this visibility are very important. I’ve been in security for 25 years, including 15 years as an executive, and it’s a positive sign that I’m meeting with Members of Congress to discuss cybersecurity for the first time ever—and they’re starting to ask CISOs their opinions about legislation, regulations, and policy. That's remarkable.
Lawmakers are also using existing legislation as models to attempt passing national legislation. The California Consumer Privacy Act (CCPA) is just one of many examples of a law that tries to address privacy in the wake of GDPR. Before the CCPA, the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation was probably the leading regulation in the privacy space. Having those laws and regulations front and center as part of boardroom conversations at many Fortune 500 companies, especially those in New York, and having conversations around cybersecurity and its effects, implications, and preparedness is remarkable and significant. Five or even three years ago, these steps really weren't in place.
I think a big groundswell is emerging of people saying they need their data protected, privacy maintained, and confidentiality upheld. I'm a big proponent of privacy and all the measures associated with it. But in the Information Age when information is at the heart of everything we do, privacy will conflict with the ability to share certain types of information in a way that creates a valuable and positive experience for many customers. We haven't yet been able to effectively wrestle with this problem.
As a result, many legislators and policymakers at the state and national level reference GDPR and the need to maintain privacy. Suddenly, we start seeing privacy legislation. But think about just the CCPA. If you are a resident in California, you now expect to know the location of all your information and can request that any company maintaining your information must delete any information that they have about you. That's preposterous. That’s like asking Google or Microsoft to delete everything they have about you.
Even if technically feasible, think about the implications in terms of mashing, sharing, and aggregating information and how we rely on the free flow exchange of public information on the internet. This information flow is at the crossroads of everything from which we try to derive and get benefit as consumers and businesses. We're now saying that the technologies we use need to honor and abide by all these privacy constraints, which in some cases aren't well-constructed.
I'm not saying that all consumer information should be free and publicly available to everybody. But how do you achieve both goals of maintaining information privacy while sharing information that doesn't need private maintenance so that it benefits everyone holistically in a social setting? I don't think we have a good answer to that question.
The foundation of GDPR in the European Union came out of Germany and a few other countries where the definition of private information is much broader than in the United States. To get our “version” of GDPR right, we need to clarify the definition of private information versus public information. You and I might both agree that our social security number is private. But where is it housed? How is it stored? Whether you want to admit it or not, your social security number, home address, and other pieces of personal data are likely known by individuals who have collected that information.
So, when the point of GDPR, CCPA, or other privacy laws is to tell CISOs not to share all that information, it’s interesting to note all that information is already out there. We need to get clear on what exactly needs privacy. Think about healthcare. Most people probably don't have many concerns that their medical history and diagnoses are public. That’s because confidentiality exists around medical records and information considered private. By contrast, the privacy of information that people often talk about such as email addresses, physical addresses, dates of birth, and social security numbers are questionable. Is this information really private? Without a better definition, challenges will exist when implementing privacy legislation. What are the rights associated with private information? Can I request to delete my private information? Or do I just have the right that it not be shared?
I’ve been around cyber threat intelligence sharing several times in various companies. When making intelligence information available, many private sector organizations fear risk of exposure to litigation and potential threats, which are understandable concerns. That's probably one of the reasons why many organizations have not shared data with the government related to potential or even real attacks. With regulations, of course, we're required to share certain information. But otherwise it's been really limited.
On the other side, you do have some public sector sharing of intelligence with the private sector. But most of the public sector intelligence shared with the private sector is not very relevant. So, if the NSA, FBI, CIA, or any DoD government agency shares the fact that they've experienced a nation-state attack, chances are that attack will not affect a company unless they are doing government work or they are a specific target. Otherwise, what the public sector sees is not relevant to what a company sees.
So, we've got to find a way to share certain types of information, and we need more private sector sharing of threat intelligence to the government. The government can serve perhaps as the arbitrator where they take and synthesize data. They're very good at that activity, and they've got entities that synthesize intelligence and play it back well. We’ve seen this in a couple of different formats with information sharing committees in financial services (FS-ISAC), local government (MS-ISAC), critical infrastructure ISACs, and even with healthcare (H-ISAC). These consortiums and forums are created to serve in an information sharing role, but I don't think they go far enough even if the government connects to some of them.
I'd like to see more resources applied to the aggregation and sharing of that intelligence back to the community that contributes. If a CISO wants rich intelligence about how their peers are affected by cyber issues, they would contribute their intelligence into the pool, knowing that it’s anonymized, and receive intelligence because of that contribution while benefiting from all the information that their peers see played back to them. I think if the government applied some of its capabilities and resources to enrich that data, then the information sharing would increase to the right richness level—not only so that we have shared peer data but also the government’s information that they’ve applied and embellished with other intelligence that’s not confidential or a national security risk. This is probably a CISO’s single biggest area of concern: What don't they know? How can they get access to what they don't know or what they might need to know? And from where do they get that information?
First, as CISOs, we need to stop complaining about the shortage and start doing something about the problem. As I see it, minorities are generally underrepresented in today’s cybersecurity workforce—especially women. Recruitment and promotion of minority candidates is not enough.
We need to actively engage, promote, and encourage all interested individuals (especially women and minorities) to pursue these new cyber roles. We need to create opportunities for high school and college students to intern, work shadow, and even participate in cyber competitions and job fairs.
As leaders in the cybersecurity workforce, CISOs (especially those of us who have made it as minorities) need to become more active in reaching out to the community to promote and encourage other minorities to pursue these opportunities. We need to become advocates to show others what cybersecurity is all about, explain how people can pursue those opportunities, and then support their engagement in the process.
The harsh reality is that the workforce shortage in large part is tied to women and other minorities not knowing about the opportunities that exist, not having effective options to pursue those opportunities, and not receiving support from mentors and sponsors to make those choices and reach their goals. If we’re really concerned and want to see this situation improve, we need to consider doing things differently.
Today’s shortage of talent makes the CISO’s role one of the most difficult jobs to execute. Even just a few short years ago, the CISO was often seen as the geeky person in the back room worrying about all kinds of technical security configurations for which the CIO or IT director didn't have time because they needed to focus on business systems and operations. Today, CISOs have gone from the back room geeky persona to front and center with the board. This interaction with the board is now part of most CISO roles and the key questions for the board are:
Despite this positive change and dialogue with the board, many CISOs still face mediocre support from internal management within their company. Unlike the chief audit executive, who often has an independent reporting structure to the board, most CISOs do not.
As things evolve, I believe the next biggest change to address is the often conflicting reporting structure that today’s CISOs find themselves in. The next big change must be having the CISO report either directly to the CEO or through a parallel path to the board. If we are truly going to take cybersecurity as seriously as we all say it is, this change must be part of the evolution of this role.
As more companies consider different ways to align the role, the skills for the CISO will need to evolve from expertise with the development and execution of cyber response plans to the formulation of business-aligned, multi-year strategies involving risk mitigation and the identification of emerging threats to those strategies. This means CISOs will need to develop and delegate more of the day-to-day work to their lieutenants and focus on their interactions with the board and their peers.