NTSC Board Chair and Aflac CISO Tim Callahan Says CISOs Need to Get in Front of Cybersecurity Policy

Tim Callahan

Since co-founding the National Technology Security Coalition in early 2016, Tim Callahan has served as the Chair of its Board of Directors. As Aflac’s Global Chief Security Officer, Callahan is responsible for the Aflac Information Security Program, which includes threat and vulnerability management, security operations and incident response, information technology compliance and risk management, security engineering, and disaster recovery. Through the execution of his company’s security program, he is the executive responsible for the protection and availability of Aflac’s information assets.

According to Callahan, companies already spend billions of dollars protecting their networks. Part of that spend includes working with federal legislation, regulations, and requirements that impact cybersecurity. With such heavy responsibilities placed upon Chief Information Security Officers (CISOs), it’s only right that lawmakers and policymakers hear their voice in Washington, D.C., and that these C-level executives have the opportunity to influence national cybersecurity policy. In this short Q&A, Callahan discusses why the NTSC’s mission is so important and why other CISOs need to get involved.

Why did you help found the NTSC, and why is its mission so important?

A positive, consistent CISO/CSO voice was missing in the public policy domain, primarily in Congress but also within regulatory bodies. In discussion with other CISOs, we would see people testifying before Congress who were dubbed cybersecurity experts but did not have any experience in creating or maintaining a security program. CISOs just didn’t have a voice at that level, so I co-founded the NTSC to help give CISOs that voice. Our mission, as relevant today as it was in 2016, grows more important primarily because of evolving cyber threats and what these threats mean for companies from the standpoint of business and e-commerce stability. If you count the amount of money businesses spend to defend their companies, it’s in the billions of dollars. The sheer enormity of spending really drives the need to find more national cybersecurity policy solutions to help combat cyber threats.

When considering national cybersecurity policy, we can divide it into two areas. First is national defense. We need strong national security related to cybersecurity, and the CISO community certainly holds views and contributes ideas about this area of policy. Second, CISOs need to know what we must do to defend our companies. When addressing this, many CISOs observe that laws and regulations are often created and promulgated without any clear view about their impact. Lawmakers and agencies create laws and regulations, but CISOs are the ones who wind up implementing them. Getting into dialogue with lawmakers and policymakers early in the process is a strategic move by CISOs to help bring practicality to some of the legislation and regulations that are brought forth.

Another area where CISOs should have a voice is around privacy legislation. There is some legitimate debate of security versus privacy when it comes to government programs. But that is around how much information the government should have on free citizens to serve a national security need and how they should legitimately use the information. I do not think CISOs necessarily have a direct concern in that debate. But, when it comes to privacy programs within private companies, CISOs need to be at the table.

Privacy programs within companies are most effective when you have a close tie between security and privacy or, in many cases, a combined security-privacy partnership. The upfront defining of a privacy program needs to be a collaborative effort. Privacy incidents come about due to some security control failure—security is responsible for implementing effective controls to protect the privacy of information. Subsequently, forensic investigation also falls to the security team. For these and many other reasons, CISOs need a voice concerning privacy legislation making its way through Congress.

What are a few examples of ways that you've personally benefited from participating in the NTSC?

The NTSC has given me more of an awareness about the process of getting legislation introduced, marked up, and passed. I’ve learned more about the different hurdles related to committee structures. Many times, we see that legislation doesn’t have a high expectation of passing when multiple committees are involved. We generally must work with a particular committee in order for specific legislation to get passed on to other committees. Learning about the intricacies of this process has been important, along with accounting for which agencies and departments are involved in creating the rules and regulations to support new legislation. This process doesn’t stop when legislation is passed. We keep track of how a law is passed on to an agency or department so that we watch how they construct the rules. Experiencing this process up close has been valuable. I’ve found it educational to talk to so many members of Congress. These conversations have helped us understand some of the practical things we must do to make legislation happen.

Aflac has also benefited as the NTSC both leverages and complements our strong federal relations team. Our head of federal relations serves on the NTSC Policy Council, and the NTSC has helped us draw attention to and drive the dialogue around information security, cybersecurity, and privacy. Having that federal relations coverage from both our team and the NTSC has obviously been beneficial in helping us make contacts, create awareness, and synchronize what’s favorable to Aflac with what’s favorable to the NTSC.

For CISOs currently not participating in the NTSC, why do they need to get involved? What are they missing?

The biggest sell is that the NTSC provides CISOs an opportunity to not just be on the receiving end of cybersecurity policy. The NTSC helps them get in front of security and privacy requirements, regulations, and legislation that affects the welfare of national e-commerce. The NTSC gives CISOs an opportunity to influence this piece. Also, some aspect of corporate social responsibility comes into play. Aflac uses the NTSC’s activities as part of our corporate social responsibility program. We’re not just taking—we’re giving back. And the NTSC is a great way to give back not only individually to the CISO community, but by involving your company more heavily with cybersecurity policy issues that affect our businesses and national security.