Chief Security Officer
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Ron Green, Chief Security Officer at Mastercard, about improvements in public-private sector cyber threat intelligence sharing, the challenges of global companies adapting to regional data privacy laws, and thoughts on addressing the root causes of the cybersecurity talent shortage—including diversity issues—in the United States.
Late last year, the Cybersecurity and Infrastructure Security Agency Act redesignated the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA). I think that rebranding went a long way toward helping the private sector understand some of the capabilities and services available through DHS. Many companies do not know what DHS makes available, and so this helps DHS become more transparent about its capabilities and services for both large companies and also small- and medium-sized companies.
From my vantage point in the financial services sector, we continue to make good strides in enabling the greater sharing of information between companies in our industry. We're starting to connect some of our fusion centers and share our indicators of compromise from machine to machine. Rather than only my analysts formulating what we see, other financial services organizations will also see what I see and I'll see what they see. Together, we can create a better picture of what our adversaries are doing.
Within the US, we're making good progress. I know DHS is trying to work its way up to machine-level sharing. We've done a lot to open the gates and enable the sharing of information between organizations. This includes using DHS’s portal as well as using sector-specific information sharing portals like FS/ISAC that connect to DHS. We are also researching other potential ways to share threat information more effectively.
While we are making good strides in sharing information, we are still limited because we share it at human speed. A major problem with intelligence analysts sharing at human speed is that we all have a bias. When my analysts analyze data and share it with others, our analysis is based on our bias about the data. We make an interpretation and share it.
Ideally, my analysts would not only share our data but also look at other data that's out there so more aggregate analysis can happen. As an example, if my intelligence analyst perceives a threat, we're going to share this threat with information sharing portals. But maybe my analysts don’t see a slower attacker targeting me who is also targeting three other institutions. Those three other institutions may share with me, but only from their perspective, and we all miss the greater picture. A more aggressive, thoughtful actor may target us, but we can't see it because we're focused on our individual pain points. However, when we can share our data and let analysis take place across the data sets, we can better see these actors operating.
We’ve still got a long way to go. Currently, I can share this kind of data with a couple of companies. But this means more companies must build up and enable a way to not only receive but also send out information at machine speed. My team can share this kind of data with DHS, but we need greater accuracy and more details in the data that we get back from them. There's an opportunity for DHS to improve upon that aspect.
I think you could keep asking this question year after year, and the CISO’s perspective will change over time. Past CISOs were mostly very technology-focused and somewhat buried and layered down into an organization. Today, a recognition has emerged that the insights needed at a strategic level for a company require more conversations with CISOs, especially as a company makes larger strategic decisions about acquisitions or different product paths.
Then, add the impact of a bad cyber incident happening. As a result, we need to become more thoughtful about security and our strategic direction—and more acutely aware of what bad consequences can happen if something goes wrong. Instead of a layered down and deeply technical CISO, today’s CISOs have followed a career path where they are expected to engage with board members and the CEO, talk with customers, and say coherent things in the public eye.
So, CISOs have transitioned from technical roles with very little public-facing non-technical speaking to a somewhat technical role that requires speaking in terms that business people can understand. This trend won’t go away, and I think CISOs will continue finding themselves in a more proactive business role where they make recommendations rather than waiting for business stakeholders to ask the CISO what they think.
People tend to think about privacy in a regional, localized, country-specific, or state-specific way. So, here’s how it feels from my perspective. One country, group of countries, or region wants to be better than other countries or regions. A progressive ratcheting up occurs. “They got to eight, so I think we can get to nine.” “Oh, they got to nine? I think we can get to 10." But during this ratcheting up, these regions make things more difficult by increasing the amount of requirements and ideas they have about how to best protect their citizens. And that adds greater complications for CISOs who now have to think about data in localized areas.
Now consider that our adversaries don't give a hoot about where information is located. These laws mean a CISO must now think about information geographically while dealing with adversaries that move effortlessly through these geographical boundaries because they don’t care. It’s a bit like diseases. You can develop an immunity for a disease in Latin America, but what about Europe? Do we just keep this immunity tied up in Latin America? And if it gets to Europe, do we let Europe figure it out on their own? To me, that’s how many of these data privacy laws seem to be playing out.
As a CISO, I’ve got to manage data in different ways based on locale and then also segment what data goes where. Once upon a time, we had an ability to see what adversaries were doing across the globe. Now that I'm serving the whole data in different pockets and I can't move or share it across these pockets, an adversary that operates in one locale can get smart and attack me. They can get smart in Latin America, and I can get smart against them in Latin America. But wouldn't you know it, once I counter them in Latin America they then spread to Europe. So now, I must separately deal with them in Europe in a completely different way.
We must address not only diversity but also the issue of just not having enough talented individuals to fill these positions.
To help address this critical talent gap, we recently launched the Cybersecurity Talent Initiative, a first-of-its-kind public-private partnership aimed at recruiting and training a world-class cybersecurity workforce. The program involves a consortium of leading private sector corporations, like Microsoft and Workday, and federal agencies that have mission-critical, entry-level cybersecurity needs. The program provides a selective, cross-sector opportunity for highly-qualified graduates in cybersecurity-related fields to jumpstart their careers by gaining public and private sector work experience.
Selected participants are hired for a two-year placement at a federal agency, then invited to apply for full-time positions with the program’s founding corporate partners. Participants hired by these private-sector companies will then receive up to $75,000 in student loan assistance.
But this only one piece of the talent puzzle. We must make cybersecurity something that people see or experience at a very young age. That's not what happens now.
Keep in mind that many current CISOs, including me, did not know anything about the cybersecurity field at a young age. Here's how I got into cybersecurity. I was a special agent with the Secret Service. I had a degree in engineering while all the other agents with whom I worked had a degree in criminal justice. We would seize computers and they would say, "Oh, you’ve got a technical degree. Do something." That's how I got started in this field.
Today, kids often see cybersecurity once they get into college but they're not hearing about it in middle school or grade school. They should be learning about cybersecurity in their everyday life. Many of the security principles we work on are basic 101 best practices that people should be incorporating into their life, but they don't hear about them because they don't get exposed to these best practices. And when you start to educate them later, cybersecurity feels more like an obstacle that gets in their way.
And yet, many people still get introduced to cybersecurity as a career in high school or college because they may hear about the demand for people. But that’s late in a student’s path. When I grew up, I got into engineering because of programs exposed to minority students. I grew up in the inner city in Philadelphia and had an opportunity to see what engineers do. That's why I chose engineering.
Currently, we don’t have much of this exposure around cybersecurity. Some programs like CyberPatriot or the Security Advisor Alliance are working with schools through providing resources and mentoring. But these individual programs can only reach so many schools. We must mobilize as a society and make cybersecurity part of the curriculum. This is a field that won’t go away. We’re only going to add more and more computers and enable more and more technology. Just think about the Internet of Things (IoT). Dozens of objects in everyone’s houses become part of the internet, and corporate networks become more diverse. Who's taking care of that?
We need to be invested in the long-term. If I just worried about the talent shortfall now, I might make some traction but it doesn't really help where we need to be as a society.