CISO
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Kevin Gowen, Chief Information Security Officer of Synovus, about increased cybersecurity awareness, communication, and transparency; caution about how we approach data privacy; and how cybersecurity talent pipelines and diversity go hand in hand.
First, I’ve seen a dramatic increase in cybersecurity awareness, specifically concerning the challenges businesses in all industries and of all sizes face. High-profile private and public sector data breaches have driven awareness by giving cybersecurity a more personal feel. People see their data involved in a breach and personally feel the scope of what happened. This personal involvement creates more focus on cybersecurity issues and drives progress in the cybersecurity industry. And what we’re seeing around data privacy policy, particularly at the state level and to some extent at the national level, is driven by this increase of awareness.
Second, communication and dialogue has improved around cybersecurity. The security community really understands we're all fighting the same battle against common adversaries. That makes CISOs generally supportive of collaborating, sharing, and driving cybersecurity progress for the benefit of everybody as we all work together to improve security for everyone. Dialogue, communication, and sharing help drive continued improvement in cybersecurity across the country, in all sectors. The financial services industry has always taken a leadership role in helping drive this communication and dialogue, especially through the work of the FS-ISAC, and this work continues to improve and expand.
Third, we're seeing more transparency from a government perspective. The work done to create the Cybersecurity and Infrastructure Security Agency (CISA) within DHS was huge. CISA formalizes important operational aspects of the public-private sector partnership and helps private sector CISOs better understand the federal government’s capabilities. By bringing greater focus to these capabilities and offering a more coherent strategy to the private sector, CISA allows CISOs to take better advantage of federal resources and become better partners with the public sector.
I've also seen the Department of Justice, FBI, Secret Service, and various federal agencies doing a lot more outreach and communication. They are soliciting input from the private sector and letting us know what they can do, what resources they bring to the table, the benefits of partnering, and how we can work together. Some of the public and private sector’s reluctance to work together originates in a lack of understanding, so the public sector’s outreach and communication has been very helpful.
That’s why the NTSC’s work in bringing CISA’s voice together with CISOs in a unified way is a big element of this outreach and communication. We now have members of Congress along with state and local government stakeholders reaching out to CISOs in the security community and seeking to better understand cybersecurity issues. These positive steps help us continue to move forward.
This topic is vitally important to me, as I have responsibility for both information security and privacy at Synovus. I wear both hats. Many people look at data privacy and think, “If I keep my data secure, then that means it will stay private.” We've advanced far beyond that assumption. I think the intersection between privacy and security is a lot clearer than before, but it remains a tremendously complex idea from a few perspectives.
I see a parallel between what's going on in privacy and what exists today with data breach notification where we have a patchwork quilt of state level regulations that differ in standards, triggers, timeframes, and requirements such as who you notify and how you notify them. These laws create tremendous complexity and CISOs must spend a lot of time understanding existing regulations and working with their legal team—time that could be better spent focusing on the underlying issue. If we’re not careful, we're going to find ourselves potentially allowing states to craft a bunch of separate state-level requirements and regulations. Like with data breach notification requirements, these many data privacy requirements will need to be managed by CISOs if their company does business nationwide. Instead, we need to have a dialogue and arrive at a national data privacy policy that is more nationally consistent, embraced, and supported—and then help it become effectively implemented and managed by everybody.
However, another underlying piece of data privacy is probably one of the most difficult—and goes beyond the CISO and Chief Privacy Officer roles—and that’s the dialogue about what privacy and personal information really means. As consumers and businesses, we use so many technologies and tools that require active, open sharing and the use of personal information. This area is difficult to legislate because there are many subtleties in how we use and share personal information. For example:
If we move too fast on data privacy, there will be unintended consequences. I absolutely support the idea of data privacy, but we need to understand what issue we're trying to address and what exact problem we're trying to solve before we prescribe a solution or regulatory requirement. If there is a lot of ambiguity in any future laws or regulations, then it becomes very hard to implement that ambiguity.
The pure speed of sharing is certainly important, and it’s a big challenge. In the public sector at the federal level, much greater willingness and recognition exists for the need to share with the private sector. However, sharing is still an issue. When looking at some of the existing processes around declassifying and synthesizing intelligence before sharing it, there are still problems with the information starting to lose relevance if it takes too long to get to an organization.
Across the private sector, especially with ISACs, companies are fairly good at sharing information quickly—and they move on information quickly. We need to see more of that fast movement with information sharing from the public sector to the private sector. Within the private sector, more room probably exists to make information viable to share. The FS-ISAC is good but not the be-all and end-all of information sharing. How do we collectively, with the government playing a role, create more of a broad clearinghouse approach where people can share—providing in and receiving back out—information? Some of the sharing models should require that if you're going to consume then you also must contribute. But we need some way to enforce it. We cannot just take. We must all give. It's a community effort in both directions.
This is an area where government has a great capability to integrate and synthesize all this information so that it's useful and actionable. How do you create a framework for many organizations to share quickly with some sort of governance arbitration within the framework? That's probably a capability the public sector could provide that would help public-private sector cyber threat intelligence sharing—and this capability would also help speed up the sharing.
Considering some of the barriers, cyber threat intelligence sharing is getting better in the private sector. Some reluctance still exists for organizations to share. If I share information about a thread or a text, is this information going to come back to bite me in some way? If an attack achieves some level of success, must I then disclose something? Has the information I've shared become part of someone's class action lawsuit against my company? A nagging feeling remains that if I share something then the government will see me as complicit in what happened rather than as a victim.
However, I think this situation is getting better, especially with the steps taken within the government at the federal level to remove some of these barriers and educate people. The government has been communicating better to the private sector that if you share information with the FBI or Secret Service, they’re not calling your regulators and they will keep your information confidential. Their interest is helping you protect your company, fight perpetrators, and bring them to justice.
The biggest change is that companies recognize cybersecurity as one of their major top risks. When you look at what CEOs worry about, cyber is high on their list and that's driven a lot of the change in the CISO’s role. The CISO is no longer a technical person working at some level within the IT organization but instead their responsibilities have included much more of a business and risk management role with a much stronger voice that speaks at a higher level in the organization. Leaders now recognize that in strategic decisions like acquisitions, they must engage their CISO because understanding security risks is an important part of the acquisition decision-making process.
When speaking to the CEO and board, this means the CISO cannot use technical jargon and must talk in the language of business in terms of vulnerabilities, risks, and impact. This change has happened faster in some companies and industries than others, and we’re going to continue seeing more of that evolution. If you've earned the right to become more strategic and acquire more weight within an organization, then you must be able to operate strategically. The CISO needs to develop strategic plans and demonstrate how those plans align with the business, how you identify emerging threats, and how you develop strategies around risk mitigation.
CISOs also need to become better at developing their staff and growing more comfortable building a team who can focus on the day-to-day expertise within each technical domain while the CISO focuses on setting strategy, engaging with the lines of business, and operating at an executive level within the company. That's a challenge. In many cases, CISOs came up through the technical ranks and suddenly get called on to have a different set of skills when stepping into the role. That's one of the aspects driving the changing nature of who serves as CISO and it impacts the skillsets needed.
Diversity is greatly important, and both diversity and the talent shortage go hand in hand. We acknowledge the lack of cyber talent, and the existing traditional pipelines can't keep up with the need. It's incumbent upon us as CISOs to figure out how we make cybersecurity more inclusive and increase the potential talent pool. By its nature, solving this problem will lead us toward a much more diverse set of candidates in the profession. The larger the pool, the more diversity will exist. We need this diversity so that we hire more people diverse in thought and experience who look at things differently. Cybersecurity threats, challenges, and issues continue to change, and people with different ideas and approaches are going to be very valuable to companies.
We need to figure out how we engage people much earlier in the process. If I'm waiting to build relationships with future talent when candidates are already in college, then it's too late. How do we establish outreach programs and initiatives at the middle school and high school level to help create greater awareness and understanding about cybersecurity? We underestimate how technologically aware people are as part of their daily lives. That means we must do a good job of helping them connect the dots between their personal experiences and what that technical knowledge can mean for them professionally.
As part of our outreach efforts, we need to figure out how to create more options than just the traditional four-year college degree path. Apprenticeships and co-op programs that focus on cybersecurity, internships, and work shadowing programs along with companies supporting competitions, job fairs, and initiatives with youth groups and schools are all activities that help make people more aware about cybersecurity and get them interested. Once they are aware and interested, we can then begin to execute on engagement strategies and bring candidates into our companies. We need to look at the long game and create a path that's actionable for people. The more we focus on these efforts, we can then start building a much longer and deeper pipeline. That will help us with the diversity challenge, but I think it also fundamentally helps adjust the size of the talent pool available to us.