In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Selim Aissi, SVP and Chief Security Officer of Ellie Mae. Aissi talks about the positives and negatives around an increased focus on data privacy, industry issues impacting the evolving role of the CISO, and significant strides in NIST standards.
At a high level, recent advancements in the NIST Cybersecurity Framework are extremely valuable to our industry. My biggest hope with the future of NIST standards lies in the areas of identity and access management along with data security. The privacy controls that NIST has developed are also significant. After coming up with a brand-new privacy framework and collecting a lot of feedback from contributors, NIST released its Privacy Framework Version 1.0 in January 2020 and it's already making some significant impact. Data privacy has become such a big concern across all industries, and we haven’t seen any well-defined concrete standards that companies could operationalize from a privacy framework perspective until this point. The framework and tool that NIST built for improving privacy is probably one of the most significant standards I’ve recently seen.
I see two sides. First, there is a positive impact. This increased attention augments the importance of consumer data privacy and makes sure all boats are lifted. We’ve focused more on data privacy across the nation, both in the private and public sectors, and it’s positive to see the protection of consumer private information in the spotlight and as a national priority. Second, there is a negative aspect. The downside of this extensive focus at the federal and state levels is fragmentation. As a CISO, I may potentially deal with 50 privacy regulations plus a national law. States are not waiting for the creation of a national privacy regulation, and they're coming up with their own privacy laws such as the California Consumer Privacy Act (CCPA).
As a result, CISOs may have to deal with a fragmented set of requirements. While a lot of overlap exists, the requirements are enforced by different states with slightly different requirements. This situation grows more complex if a federal law gets passed. This is the downside of extreme urgency when coming up with privacy regulations. Over the next 3-5 years, I think this urgency will settle a little bit. But right now, we’re seeing a lot of urgent, reactive work in this space. The weekly disclosures of data breaches are definitely adding fuel to the fire.
Like anything, the first release of any requirements will not be perfect, and changes will occur later. In the early days of security regulations in the State of New York, the New York Codes, Rules and Regulations (NYCRR) went through the same process. Over time, the State of New York updated the NYCRR until they refined its security regulations into a workable list of requirements. Among data privacy requirements across the nation, I also see a lot of “rinse and repeat.” Many requirements overlap and some are taken from other regulations such as the General Data Protection Regulation (GDPR).
I believe it will take another year or two until these requirements stabilize, become more reasonable, and focus on the US consumer. I do believe we should have one framework, one standard, and one set of requirements at the federal level instead of over 50 data privacy regulations. The impact of so many requirements is not felt by the consumer—it’s felt by businesses. A financial institution or social media company operating in 50 states will have to deal with every local set of data privacy and security requirements. That’s what we're facing if we keep going down this path.
The role of the CISO has changed year after year, especially during the past five years. A while back, the role and value of a CISO was still questioned, but we're past that now. The need for a formal CISO is not questioned by organizations anymore, especially for businesses dealing with a lot of customer data and critical assets. In fact, the next two or three years will probably create even more demand for CISOs because of a few things.
There is already a tremendous amount of cyber threat intelligence sharing across our industry, but a few challenges do exist. Much of the good threat intelligence is not free or cheap. So, what’s exchanged freely is not necessarily the best threat intelligence material. Also, leveraging such threat intelligence requires specific processes, skillsets, automation, and infrastructure.
Often, I hear blame from organizations that threats are not shared. However, I also find that many of those organizations are probably not ready to effectively ingest and take advantage of that threat intelligence. Threat intelligence sources range from public (open source) to private (paid) sources. There are also industry-specific sources of threat intelligence, such as the FS-ISAC serving the financial industry. The real challenge stems from the ability to leverage all those threat intelligence sources and make use of the strategic, operational, and tactical threat intelligence available.
I am personally a true believer in diversity, and I push for all types of diversity. In fact, some of my teams consist of nearly 50% percent females, which I’m very proud of. It’s definitely a challenge to recruit different, diverse groups in the cybersecurity space because a huge talent shortage exists. However, striving toward a more diverse cybersecurity workforce is doable.
Work environments must operate slightly different to encourage the hiring and retention of a diverse workforce, and a company’s culture must appeal to different groups. While I’ve seen a tendency for more women to work on the governance, risk, and audit side versus engineering, there are organizations such as mine with many female engineers. The key to diversity is making sure a company’s culture accommodates a diverse workforce and provides a clear career development plan so that employees have a clear career path within the organization and are incentivized to work hard to achieve it.
One key reason for this shortage of cybersecurity talent is that universities have not trained enough people to work in this space. Many universities have provided engineering degrees without even a single offered cybersecurity class, but that’s changing very quickly. We now see more and more master's degree and certification programs in cybersecurity, and I have some team members who successfully went through those programs to get more practical expertise in several cybersecurity domains. Besides advanced degrees (such as master’s and PhD degrees) in cybersecurity, we also need to see more training in community colleges, technical colleges, and vocational schools. In fact, I'm volunteering to teach cybersecurity in some of the community colleges in the Bay Area.
Finally, there is a great opportunity for more university-industry partnerships where students who would like to continue learning about cybersecurity can work for partnering companies. A stronger partnership between universities and companies, with more cybersecurity training at the university level, will definitely provide a much larger, highly skilled cybersecurity workforce.