Corporate Chief Information Security Officer
In an interview conducted by the NTSC with Mathew Newfield, Corporate Chief Information Security Officer of Unisys, we explored pressing topics that are impacting the role of the CISO including how public perception issues affect public-private cyber threat intelligence sharing, how CISOs and Chief Privacy Officers can work better together, and the business acumen CISOs need to service companies effectively.
Communication has improved, which has enabled information sharing between government and business. This is radically different than in the past because, historically, there was a lack of engagement largely due to the misperception that protecting the federal government differed comparatively to protecting business from cyber threats.
The shift, in my opinion, is a result of government realizing the private sector has additional views into security threats with the ability to see patterns resulting in a holistic view of the cyber threat landscape.
Consider the role of service providers, for example. We are in a position to analyze or sense patterns because we are a collection point, and this gives us a better understanding of indicators of compromise (IoC) which can facilitate much needed conversations with federal colleagues both at the system and agency levels.
As I mentioned, the sharing of IoCs between the public and private sectors is a step in the right direction. However, cyber threat intelligence sharing becomes challenged due to the classification of data and systems. For example, IoCs can be classified as top-secret or secret, which can cause issues to business because, at times, there are limitations to what can be shared. There are examples where even if security leaders have the appropriate clearance, they are unable to act upon what they learned because the systems are not considered cleared.
Another obstacle is a lack of trust between the public and private sectors. Commercial legal teams are, at times, cautious to share IoCs with federal groups like the Department of Homeland Security (DHS) or the FBI out of concern they are giving away information about consumers or, in general, data that should not be shared. It’s not surprising when the media suggests the federal government wants backdoors into a company’s platforms or suggests that the government is snooping. This is a concern for many lawyers and cyber professionals as they don’t want to be misconstrued in the marketplace as mishandling customer data.
There would be great benefit if the federal government enhanced their public relations efforts to mitigate reported incidents by communicating what really happened. This offers separation between an agency making a mistake versus an individual who works for the agency making a mistake.
Public distrust in government surveillance activities is an issue in the United States and in other countries as well. I would encourage continued sharing of cyber threat intelligence to create a sense of goodwill between the public and private sectors.
As an essential aspect of cybersecurity, privacy has always been a part of a CISO’s focus. However, the responsibility of privacy has been elevated to the board level within a corporation. There are cases where legal action has been taken against board members and executives who were expected to protect data that had been compromised. As you mentioned, the European regulation, GDPR, should certainly get your attention if privacy wasn’t a priority for you or your organization. The financial penalty, let alone the damage to your brand, can be up to 4 percent of annual revenues or 20 million euros (whichever number is greater).
We are in a digital era where information has become the currency of exchange and information has no boundaries. Leadership expects its security and legal teams to protect the company, the brand, their associates, and their data. Many functional roles play a part here, and I believe the CISO should create a symbiotic relationship with the Chief Privacy Officer or the privacy function to successfully protect the corporation. National data privacy policy continues to evolve, as do cyber threats. Therefore, in order to mitigate risk, we must work together to build a risk-based approach that moves the business forward and tries to be more than just compliant.
I am fortunate to work with a Chief Privacy Officer who is not only cooperative but also collaborative. We have been able to establish a core set of common goals and objectives because we have a relationship based upon trust and transparency.
It’s no surprise that both the security and legal functions run the risk of being perceived as the “Office of NO.” Together, we must spread awareness and education across the entire organization to communicate the role our associates, executives, partners, and suppliers play in keeping our environment safe while advancing the business.
During this year’s RSA Conference, I will lead a panel discussion along with Michelle Beistle, our Chief Privacy Officer. One of the issues we will address is how to deal with the language gap between the privacy and security function. Our advice is you have to become “bilingual,” meaning I share with her the top issues impacting the security landscape and likewise become a student of the issues she encounters in policy, regulation, and compliance.
In the past, many CISOs were ethical hackers or policy writers who worked their way up through the CIO’s organization by dealing with a CIO-owned infrastructure. They dealt with security of the infrastructure such as firewalls, SIM, HIDS, NIDS, patch management, vulnerability testing, and other basics. These are no longer the required skills of a CISO.
Instead, CISOs are becoming more involved in risk transparency and threat mitigation strategies that are presented, evaluated, and adopted by leadership and the Board of Directors. This emphasis drives my position in the organization to be a collaborative peer to our CIO rather than a direct report.
Over the last 3-5 years, the cybersecurity landscape has changed drastically. This shift has increased the need for security professionals who have technical, business, and cyber proficiency. CISOs, now and into the future, will need to be effective communicators across a diverse group of leaders who, in some cases, may not initially like the recommendations made to protect the company, the brand, their associates, and data.
In addition, CISOs will need to secure proper funding to support security initiatives, while building a security framework with an emphasis on response versus prevention. This is not a skill. This is a change in mindset.
You are correct. There is a short supply of cybersecurity talent and, as a result, it is difficult in general to recruit and retain key talent—and specifically women and minorities.
I believe it takes awareness and education to help people see what is possible and to appreciate the diverse backgrounds CISOs may be looking for to complement their teams. I am very passionate about this situation and actively participate in many forums in support of STEM and security-specific educational programs at the primary, secondary, and collegiate levels.
If people have an interest in security but do not think they are qualified, consider that I’ve been in this field for over 20 years. I do not have a cybersecurity degree. In fact, there were no cybersecurity degrees when I went through university. My career in security began in 2000 as a Senior Security Consultant, but it may surprise you to learn that I studied psychology.
I’m glad I did because I think it offers me some unique perspectives about the human side of technology which influences how I build my team of security professionals. I look for some very specific things in the people I hire. Surprisingly, the first thing I look for isn’t their cybersecurity background. I’m looking for people who are passionate about cybersecurity and think outside the box.
Published February 20, 2019