As Chief Information Security Officer of Oceaneering International, Eric Seagren oversees information security for a global organization with offices in 25 countries that does business in the aerospace, entertainment, material handling, military and defense, and oil and gas industries. His focus is to design security policies and solutions that respect the business needs and operational requirements of the organization, maximizing effectiveness while minimizing impact. He is also a published author with multiple publishing credits including “Secure Your Network for Free" and the co-authored “How to Cheat at Configuring Open Source Security Tools.”
Seagren sees his NTSC board member role as a way to engage in high caliber CISO networking that most groups and events don’t offer—while positively impacting the knowledge of lawmakers on Capitol Hill. For Seagren, no other group offers him this unique blend of professional benefits and impact on national cybersecurity policy. In this short Q&A, Seagren discusses why he joined the NTSC, why its mission is important, and why other CISOs need to get involved.
Certainly, the networking opportunity drew me. As a CISO, I’ve attended various events hosted by a company or organization that sometime become a sales pitch for a product or service. While some peer-to-peer conversation takes place at these events, it’s very limited and attendees are often shoehorned into a particular direction. These events lack the freeform networking I want with CISOs. With the NTSC, I’ve really enjoyed the opportunity to network with my CISO peers in a very open manner. Everyone at these events has been very friendly and receptive, and I’ve received a lot of value out of these conversations and connections.
Beyond networking, I also became interested in the NTSC when I saw a huge need for CISOs to communicate with lawmakers who are not necessarily technical. I think when lawmakers usually try to reach out to a cybersecurity expert, they receive a skewed perspective. For example, academia may lack a perspective that reflects the real world, or a lawmaker may always reach out to someone with a specific point of view where it’s easy to receive a confirmation bias from who they select. I find a lot of value participating with the NTSC because they offer the opportunity for CISOs to provide lawmakers industry-agnostic, nonpartisan expertise and knowledge in an unbiased fashion. Making sure the voice of CISOs was heard in this way appealed to me, and I really wanted to contribute.
Currently, no organization focuses on or fulfills the NTSC’s mission. If they do overlap with our mission, they are not enacting this mission in the same manner, objective, or spirit of just sharing industry-agnostic, nonpartisan experience and wisdom in a way that hopefully benefits lawmakers. Other similar groups have a specific agenda, and academia operates in a different world that doesn’t often represent the feedback of those—like CISOs—in the trenches. Based on what we see of current and proposed laws (or the lack thereof) and the fact that Congress seems to lag far behind with its technology knowledge, I think a clear need exists to share a CISO’s expertise with lawmakers—and that need is filled by the NTSC.
I think lawmakers listen, and I’ve been pleasantly surprised during our meetings. Obviously, some lawmakers will be more engaged than others and we always need to stay aware of politics, but I’ve been pleased that lawmakers seem to really want the help of CISOs and receive the NTSC’s perspective on important national cybersecurity policy topics. I am happy to participate in these meetings and I believe our perspective brings a lot of value to lawmakers.
Beyond the personal benefits I experience from the NTSC’s professional networking opportunities, I find I can also take back many ideas to my team. At NTSC conferences and events, I hear about how other CISOs deal with specific problems. No matter our industry, we all deal with the same challenges. The specifics may change, but we fill in the blanks the same way for each problem. Whether we’re protecting PII, PCI, CUI, or another acronym, we all facing the same challenges.
So, when we talk with our peers within the context of the NTSC, we have open, frank discussions. I find it really valuable when we discuss a topic and I hear five different approaches to tackling it. The approaches could involve completely different architectures or different technical solutions. Maybe a CISO came up with a creative solution, a new approach, or a different angle—such as how they approach a sales pitch to executive management, for example. When I start hearing about different ways of tackling these challenges, I run into solutions that I had not thought about. The NTSC serves as a good sounding board. If everyone chips in to the discussion, then many heads are better than one. I take these ideas back to my organization and ask myself, “How can I work this solution in and leverage it?”
This idea exchange works both ways. One great example is when I shared some ideas about mandatory security awareness training. At my organization, employees don’t have to complete security awareness training—but if they don’t then we block their personal internet access at work. The effectiveness of that approach was amazing. Other CISOs told me, “I didn’t think about that approach.” CISOs now had a new technique they could try and explore with their teams to see if it was something they could implement in their organizations.
Pragmatically, if you don’t get involved in national cybersecurity policy discussions in Washington, D.C., then someone else will speak for you. NTSC offers the opportunity for CISOs to have a voice on Capitol Hill. Like voting, if you don’t vote then someone else will “vote” for you. If you want to have a voice, then you must participate, get involved, and become a member.
Also, I suspect CISOs all can relate that trying to find good forums for open discussions with your peers is hard. On the surface, these meetings look easy to find. CISOs can get a free meal every day of the week, and there are plenty of invitations to lunches and dinners that are supposed to involve a group of your peers. However, I’ve found it very difficult to actually experience good quality, frank, open conversations at these events. Those kinds of conversations at events are few and far between. Looking at it from a networking perspective, I have found the NTSC offers higher caliber discussions than what I’ve found at many superficially similar get-togethers. The NTSC simply offers higher quality networking.