CISO Conversations

In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Raj Badhwar, Chief Information Security Officer (CISO) at Voya Financial, about specific advances in cybersecurity standards in 2018, why CISOs still need technical knowledge as part of their role, and the importance of collaborating with privacy executives within companies.

What do you see as the most significant positive steps that government, business, and the security industry have made in the past year to improve national cybersecurity standards?

During the past 20 years, government, commercial businesses, industries (such as the financial industry), and security providers have all done good work with improving national cybersecurity standards—and they keep incrementally getting better. From a regulatory perspective, these sectors are working together to create regulations such as the NYDFS Cybersecurity Regulation. I think we’ve all contributed to these regulations, providing insight into how we will comply with and work together to uphold them. The General Data Protection Regulation (GDPR) is another privacy-centric regulation where I believe there was a good amount of feedback, dialogue, and collaboration between the industry worldwide and European governments. There are a couple of new state sponsored regulations on the horizon such as the California Consumer Privacy Act (CCPA) where there is potential for collaboration between the industry and state governments. As a result of this regulatory work, I believe the public and private sectors are more cyber secure.

Also, we’ve recently seen an advance with Domain-based Message Authentication, Reporting & Conformance (DMARC) as a standard. In late 2017, the Department of Homeland Security (DHS) released a binding operational directive (BOD) focused on email security and hygiene, primarily in the “.gov” space. As part of this mandate, they wanted federal government agencies to become DMARC-compliant with a DMARC “reject” policy in 2018. While they currently may not have 100% compliance, I think the goal of increasing those standards was achieved. The federal government worked with businesses and security vendors to make sure that their email security hygiene improved. Email is an area very prone to threats, so DMARC compliance has helped both government agencies and the private sector increase their security posture toward getting to full DMARC “reject” and “quarantine” capability.

I've also seen a massive amount of improvement and collaboration between the security industry and commercial entities around incorporating artificial intelligence (AI) and machine learning to help with threat detection and mitigation. This field has especially benefited capabilities like user behavior analysis (UBA), robotic process automation (RPA), intrusion prevention systems (IPS), and web application firewalls (WAF). Also, reactive response capabilities—the capability to reactively respond to a threat in an automated manner using AI or machine learning—has improved tremendously compared to two years ago. With the advent of these capabilities in our tooling, collaboration between businesses and security vendors, and a little bit of nudging from the government, the entire security industry is starting to streamline the usage and regulation of these capabilities.

One other area worth highlighting is the verification (with RFC 8446) of TLS (Transport Layer Security) 1.3 as a standard in August 2018. That was a key change because TLS 1.3, which is already a standard but not completely adopted yet by the industry and security vendors, provides perfect forward secrecy (PFS). In a nutshell, even if a few session keys are breached or stolen during a given TLS session, those keys don’t compromise the entire session—or any past or future sessions. TLS 1.3 helps to prevent man-in-the-middle or other types of attacks that plague SSL (such as decryption capabilities). In 2018, all data in transit became more secure than it was in 2017 with the capability to adopt TLS 1.3.

How has the role of the CISO changed over the past 3 – 5 years? How do you see it changing over the next five years? What do these changes mean for the mandatory skill sets of a CISO?

In the past, many CISOs came from military and industrial security backgrounds or from policy backgrounds. Both CISO types have helped to advance the role of the CISO in different ways. Next-generation CISOs still need to know policy and physical security but they also need to know a lot more about the internals of security tooling, vulnerability management, APT (advanced persistent threat), polymorphic malware, threat intel and associated support platforms and ecosystems, monitoring and response, Identity and Access Management, and various new ways to detect and prevent the exploitation of vulnerabilities and weaknesses in our internet-facing high risk applications and associated middleware stacks. CISOs are becoming more technical. I am one of those CISO types and carry many security and network certifications. I came up as a developer and systems engineer, implementing various capabilities and technologies while also writing technical security specifications and standards along the way. My principle is anything that my security engineers can do, I can do it too. Maybe not as good as them, but I can still do it and talk to them about it at a low (technical) level.

Next-gen CISOs must talk the talk and walk the walk at the same time. For example, they must:

• Have an active hand in creating the cybersecurity policy and standards.
• Decide on the tactical versus strategic security infrastructure enhancements that need to be made (and acquire needed financial investments for the same).
• Lead the charge to highlight the need for user training and communication on how best to detect (and block) security threats that come in through the email channel (e.g. phishing or spoofing) or other areas like drive-by download.
• Lead quarterly table top exercises to simulate cyber induced threat scenarios to judge a company’s capability to react and respond to the same.
• Lead a cyber risk quantification exercise.
• Be ready and able to present the current state of the security program to the company’s board of directors with a proposal for a secure future state where all known risk is either remediated through security controls, mitigated through monitoring controls, or transferred through cyber insurance.

This technical knowledge has become more important as cybersecurity started using more AI and machine learning. To a CISO, those concepts can't just be buzzwords. CISOs must actually understand the value proposition, how to implement those technologies, what threat factors are mitigated, and what threat factors are introduced when new technologies and capabilities enter an environment. They must also understand how to protect data, systems, and applications in a cloud environment across the public, private, and hybrid cloud environments.

How do more technical CISOs talk to non-technical C-level executives and boards of directors?

I don't see a barrier there. If you are technical about a given subject, you can probably speak about it non-technically. Technical CISOs can simplify the matter at an appropriate level for their audience. However, if you are not technical and you don't understand the subject matter, you cannot answer deeper questions and you’ll have to defer them to those with the technical expertise. Technical CISOs, with the appropriate amount of training and guidance, can talk at a high level and get technically deeper when needed, but the reverse is not true.

Post-GDPR, privacy has become more of a concern in the US in the wake of various widely publicized data breaches and scandals. How do you think a shift in thinking about national data privacy policy may impact CISOs moving forward?

Privacy is becoming more paramount, and it impacts everyone. There is no privacy without security, and vice versa. GDPR got the ball rolling in Europe but it also impacted businesses and people in the US and worldwide. Because of these trends, CISOs really must start understanding the implications of privacy. Data security and privacy are absolutely reliant on each other.

One often thinks of data security as just about protecting data, encrypting it, or using digital rights management. But privacy is actually another important angle of protecting data by maintaining the privacy of users, customers, and employees from disclosure and unauthorized access using techniques like but not limited to obfuscation, redaction, or de-identification. CISOs also need to know how to manage government (local, state, and federal) disclosure requirements. As a result, I think privacy impacts CISOs a lot.

Such a situation means more collaboration with privacy departments. In my current role, I collaborate a lot with my company’s Chief Privacy Officer and look closely at how we are securing data to maintain privacy. Obviously, we work together to comply with privacy laws and regulations. For example, the NYDFS regulation is very data security-focused—focusing on data encryption and making sure there are appropriate monitoring and mitigating controls. By contrast, the GDPR is very privacy-centric. CISOs must worry about both aspects of privacy and data security now, which requires more collaboration with their Chief Privacy Officers.

And as a technologist, how do I make sure that technology meets these various regulations and postures? In my world, I focus on concepts like zero trust with full micro-segmentation, advanced encryption, and digital rights management. With those technologies implemented, and then as a CISO, I've solved some of these data security and privacy problems. But there is no silver bullet. Instead, CISOs need to focus on making sure that data is kept private and that the appropriate systems and security controls are in place.

How would you recommend ways that CISOs can develop strong working relationships with Chief Privacy Officers?

It depends on how much collaboration already exists. For me, it's about keeping each other in the loop as to what we’re doing. We communicate a lot and participate on internal committees together where we constantly talk about issues such as the data security and privacy aspects of implementations. We work together to make sure that we understand existing (local, state, or federal) government regulations and how we will achieve compliance with them. Each area needs the other, so collaboration and communication are essential.

What are some ways that you believe public-private cyber threat intelligence sharing can be improved, and what are the obstacles?

Siloes are an issue. Each company often oversees its own silo of information. While they may take part in a collaboration platform such as the Health Information Sharing and Analysis Center (H-ISAC) or Financial Services Information Sharing and Analysis Center (FS-ISAC), information sharing is often not bidirectional. It flows, generally, one way. As a result, companies maintain their silos and may buy and receive information from the Palo Altos (WildFire) and Symantecs of the world. Companies usually do this out of liability concerns related to incidents, and they don't want that information to leak.

From the government side, the classification of threat intelligence makes it very hard for companies and non-government agencies to access much of that information. The government actually gathers a lot of interesting information, but we need to have the ability to consume that information in a way that preserves the confidentiality of the information. It would be ideal if that information could be anonymized and still shared.

One solution to this issue, just like we have our threat intelligence platforms implemented internally, is to create a threat intelligence platform formed as a consortium consisting of many threat intelligence platforms. For example, insurance or banking could create a threat intelligence consortium platform to share industry-specific threats on a bidirectional basis, sprinkling in some information from DHS or the FBI that can be shared to aid our defenses. As in private blockchain, a private consortium is created where we trust each other. Similarly, a (standardized) threat intelligence platform consortium to share threat intelligence with each other would be beneficial.

How reliant would that consortium be on DHS?

If we anonymize, sharing information with DHS should not be a problem. But many attacks are specific to an industry. Different industries have different challenges, and companies within those industries understand each other's challenges better. So, first, we need to share it with our industry peers. Then, if we get plugged into DHS and the FBI, we could get some information from them. In some cases, if we feel that the intelligence we received based on attacks we remediated or repulsed might have a national security aspect to them, then we should certainly share that back with our defense partners. Many times, they have that information already. But threats are so varied and vast that sometimes nobody has all the available threat intelligence. Collaboration is key here.

As the security industry wrestles with a worldwide talent shortfall of approximately 3 million people, diversity has emerged as a serious problem for CISOs to address as women and minorities either quickly leave the industry or never become interested in it. What are some ways you believe we can address diversity issues within the security industry?

We must attack the root cause of the problem by building an interest in cybersecurity for women and minorities while they are in K-12 and college. In my own life, I'm already teaching my daughter programming and cybersecurity concepts such as malware, cyberattacks, how you prevent attacks, and how you protect against threats. I'm trying to build that interest for her right now, and that's what we must do in our schools and colleges to reach them and get them interested in our profession.

Also, security has always had a macho aura around it. That gives the impression for many people that cybersecurity is full of ex-military, ex-defense, or ex-police-type people. It’s easy to think one’s personality wouldn't be a fit in that career. We must break that mold because cybersecurity is a diverse field that includes policy people, operational people, and engineers along with some people who have defense and military backgrounds. It's a mixed bag. People of all types, ideas, and diversities are welcome here. When I'm hiring, I actually look at IT people who aren't security people to see if I can get them interested in our profession.

I think the future is bright for the security industry because a lot more awareness and interest in diversity and hiring diverse candidates exists. People are ready to wait a little longer to get interviews with diverse candidates rather than just looking at the first five resumes and hiring quickly. I will wait a few weeks and make an extra effort to ensure I get some diversity of talent in the candidate pool in order to help me make the best selection.

Diversity is also a mission, and we need to get the message of the mission across. For example, look at our military. We have diverse men and women there. They fight shoulder to shoulder together if needed. They have a sense of mission. It's about national pride and protecting our country. We need a similar mission in the security industry. Our mission is to protect our organization’s systems and data. In the financial services industry, we must protect our user data, customer data, employee data, and company reputation. When you give that sense of mission to the people who work in the cybersecurity profession, you can transcend diversity boundaries.

Disclaimer: The views expressed and commentary provided in this post are private. It does not comment on the state of and/or implementations within the cybersecurity or IT programs of my current or former employer(s). Instead, this write-up is a review of industry views, discussions, and trends to stimulate thought and provoke discussion about cybersecurity principles and practices for the same.

Published February 20, 2019