CISO and EVP Information Security Services
In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Tim Held, Chief Information Security Officer and EVP, Information Security Services, at U.S. Bank. Held talks about several important initiatives that have raised national cybersecurity standards, ways to strengthen the public-private partnership around cybersecurity, and how to grow diverse teams using a variety of strategies.
The establishment and continuing evolution of the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS) holds great promise for public-private partnerships. CISA facilitates the sharing of cyber threat intelligence unavailable to us through non-government sources. We also continue to value our partnership with the Department of Treasury, our sector-specific agency, which provides information tailored to our industry including classified intelligence briefings.
The financial services industry launched the Cyber Risk Institute (CRI) in May 2020, culminating after five years of collaboration across our industry and after dialogue with government regulators. CRI enhances cybersecurity resiliency through standardization, and the financial sector cyber profile tool is the benchmark. It gives us a common framework for cybersecurity and resiliency assessment that will enable us to focus our resources more on our frontline defenses and more consistently map our policies and procedures to regulation. It’s a many-to-one tool. We have many different regulations with different requirements, and this tool provides a central common language to help us comply with them.
Also, MITRE Engenuity created the Center for Threat-Informed Defense in November 2019 as a response to feedback from the cybersecurity community about the need for a non-commercial, nonprofit focal point that will sustain and accelerate the evolution of publicly available resources critical to cyber defense. MITRE is a technology foundation that collaborates with the private sector on challenges that demand a solution in the public interest, covering areas such as cybersecurity, infrastructure resiliency, healthcare effectiveness, and next-generation communications. The Center for Threat-Informed Defense is a collaboration with industry to improve our cyber defenses at scale through collaborative research and development. U.S. Bank was one of the founding research sponsors for the center earlier this year and we've since created our own threat-informed defense team aligned with the functional capability of MITRE's Center of Threat-Informed Defense. MITRE is doing a lot of great work looking at cyber threats and different techniques and tactics to combat them.
The future presents high stakes for those with the responsibility of protecting data. In the financial services industry, cybersecurity is still very much a team sport and we need to continue sharing information through the FS-ISAC with our peers on a continuous basis. This ISAC is incredibly open, offers great value, and helps us make the entire financial ecosystem more secure along with each of our own banks. The FS-ISAC continues to evolve and provides us the best source of information beyond what we already receive from our government partners. We also benchmark our threat detection, prevention, response, and recovery with each other beyond just sharing threads, giving each of us an opportunity to see where we sit from a maturity perspective.
In recent years, the role of the CISO has evolved from a focus on technical expertise into a role relying more heavily on broader business acumen and risk management expertise. Today, the CISO’s role revolves around risk—understanding it, communicating it, and mitigating it with an understanding of the business’s needs as a whole. Over the next five years, I believe we'll see the CISO role become more prominent in organizations both large and small. CISOs will need a clear vision of their role within companies, a clear reporting structure, and access to some of the best and brightest talent.
With this shift, I think we, as CISOs, must see ourselves more as business leaders rather than hands-on technical pros. We need business acumen and the ability to communicate clearly and astutely, able to interpret “tech speak” in a common language that facilitates the connection between cybersecurity and business decisions for boards and organizational leaders. CISOs also need to understand the impact of their decisions on the bottom line so that technology investments are made in a prudent and wise manner—making sense to the entire organization and not just a CISO’s narrow silo.
Finally, CISOs need diplomacy to build relationships and navigate landscapes both internally and externally without causing friction between business lines, consumer needs, regulatory needs, or security needs. That’s why business acumen and not just technical expertise is so important.
I think a national data privacy regulation would be a positive development and most CISOs would welcome this shift. A company’s reputation is partly built on its ability to safeguard financial and other personal information. Data privacy is a very critical area that we must not take lightly. At the end of the day, it's about protecting data and money for the bank or financial institution.
In May 2018, GDPR went into force in all European Union member states to harmonize data privacy laws under one regulation. That's been a good thing for CISOs particularly because the regulation significantly simplifies the compliance requirements around data for companies with a global footprint and allows CISOs to focus on the actual work of data protection within a region.
In the US, there are currently three states with different data privacy laws passed, with at least 16 more coming through the pipeline for a vote as well as other states with bills postponed or that died. This potential patchwork of laws across America is scary and will just add more complexity when companies comply with regulators. CISOs of smaller companies will have the most difficult time complying. If we get away from this patchwork of state laws and instead pass a national law around data privacy, similar to GDPR, that would be fantastic.
The financial services industry continues to believe that the federal government should do more to share sensitive and even classified intelligence with the private sector. This is not for competitive advantage but to ensure security in our networks. The more collaboration between the public and private sectors, the better. And the more the private sector can share cyber threat intelligence amongst ourselves, the more we can share our information with different government entities, which benefits everyone as a whole.
Whether this means expanding DHS’s private sector clearance program whereby industry personnel are given government security clearances in order to access classified information or some other solution that we haven't thought about yet, we believe industry and government can come to the table and develop mechanisms that meet industry's needs for information and government’s needs to protect sensitive sources and methods.
This is one of my areas of passion. Building diversity in our pipeline requires a fundamental shift in mindset—that people from many different, diverse backgrounds will only make an organization better, not just from their backgrounds but also their experiences. If you hire people with different experiences such as marketing, engineering, risk, etc. onto your security team, blending all those different experiences and backgrounds together makes for a better overall organization.
We're heavily involved with our cybersecurity skills pipeline through our engagement with colleges, universities, and education programs within the industry and government. We also joined the Aspen Cybersecurity Group which, along with other industry leaders, pledges to look beyond four-year colleges and universities in our search for cybersecurity talent and develop job positions and descriptions in alignment with industry standard frameworks such as the NICE Cybersecurity Workforce Framework. We also have several leaders who sit on advisory boards for different academic institutions.
For example, we are one of several companies supporting the Cyber Fellows program at the NYU Tandon School of Engineering. Currently, students receive cyber fellowships valued at about $45,000 per person, a significant investment. We work with the University of West Florida Center for Cybersecurity and the National Cybersecurity Training & Education Center, and we also maintain ties with the program office for the National Centers of Academic Excellence in Cybersecurity Education. Through this partnership, we can influence cybersecurity education in almost 400 colleges and universities. Even at the high school level, we spend a lot of time coaching high schoolers, bringing them into our company, and showing them cybersecurity, banking, and technology in action. This stimulates interest so that students can really think about what they want to do as they move into college.
Also, we must not overlook our internal workforce. We know that many people within our organization have backgrounds not traditionally security-oriented but have knowledge, skills, and abilities that easily translate into security roles. Companies need to start making investments in developing their own talent. We spend a lot of time cross-training our internal talent, putting cybersecurity conferences on for our organization, talking about cybersecurity training and workforce development, and making sure our own internal workforce stays current with their skillsets.
I always tell people, “We can teach you security but it's hard to teach the business acumen or institutional knowledge.” As a result, we have a lot of people that worked in branches, for example, who we pull into information security because they have that institutional knowledge of how a branch works and how the data flows. If I can move that person into a data loss prevention or insider threat career because they know the institution, we can teach the security skills on top of that.
We also invest a lot in our community. For example, in Cincinnati, we have a program called NaviGo Scholars. It consists of a class of about 16 students who come and spend the summer with us. Then, throughout the school year we teach and promote different security skillsets they will need. We play games and do team exercises so they can really understand what it means to defend against the network. Programs where you can forge partnerships with nonprofit organizations are always good. We also work with the Girl Scouts, which helps get more girls interested in cybersecurity and technology. We've reached out to more than 1,000 girls working with the Girl Scouts, so that’s been successful.
In order to build a diverse pool of talent, we must look to diverse places for that talent. Tapping into various platforms geared toward people from underrepresented backgrounds is really important. We host interns, provide scholarships, and partner with various institutions. The more we can get out into the community, forge those partnerships, and spend time with people, the more our industry benefits.
The challenge of finding diverse candidates and developing a diverse team is extremely important and something I'm very passionate about. And it's a lot of fun, too, spending time with different universities and giving scholarships out. After all this work, though, our industry needs to do a better job recruiting these candidates.