Synovus CISO Kevin Gowen Makes the Case for Why CISOs Must Join the NTSC to Impact National Cybersecurity Policy

As Chief Information Security Officer of Synovus, Kevin Gowen is responsible for all aspects of information security and business continuity including identity and access management, security architecture, security operations, IT risk assessments, audit and regulatory interfaces, disaster recovery coordination, business continuity planning, and crisis management. He is responsible for setting the strategic direction for Synovus’ enterprise security program to ensure that information assets and technology are adequately protected.

While focused on his company and industry, Gowen also realizes as a CISO that—through the National Technology Security Coalition (NTSC)—he needs to take a much broader perspective about national cybersecurity policy. In this short Q&A, Gowen makes a strong case for why CISOs need to join the National Technology Security Coalition (NTSC). He discusses the knowledge gleaned from staying on top of emerging cybersecurity bills and regulations, the impact on contributing the CISO’s voice to legislative and regulatory discussions in Washington, D.C., and the benefits of collaborating with CISO peers from across the nation who represent many different industries.

Why did you join the NTSC?

First, to gain knowledge and better understanding about cybersecurity policy at a national level. Without the NTSC’s expertise, it’s difficult for a CISO to keep track of all the different cybersecurity laws and bills introduced, debated, and passed at the federal, state, and local levels. Second, I joined the NTSC for the opportunity of contributing a voice to the process of creating and influencing national cybersecurity policy. By giving input and providing a CISO’s perspective to lawmakers, we’re not driven by our industries or particular hot-button topics but instead as practitioners with a focus on cybersecurity. CISOs are the ones who ultimately end up implementing laws and regulations, so it’s important to have the opportunity to influence policy.

Another reason I joined is for the opportunity to collaborate with peers. The NTSC includes a great group of top CISOs with whom I have the chance to collaborate in a neutral environment—not driven by sponsors, vendors, or politics—where we’re all focused on solving the same set of problems and issues. I haven’t seen another group offer me these things the way the NTSC does.

Why is the NTSC's mission so important?

CISOs all talk about their biggest cyber risks and what keeps them up at night. At the national level with the NTSC, we talk about what a threat these risks represent. It’s critical to provide lawmakers and policymakers informed consensus on what good policy looks like and what problems we must solve. Otherwise, lots of cybersecurity topics get stirred up by hot-button headlines or what drives recognition and interest only among consumers and consumer-oriented groups. Instead, lawmakers and policymakers need to hear from CISOs—practitioners who live with areas like data privacy and other cybersecurity issues every day. We end up implementing the laws and regulations they pass, and we understand these threats the most.

Allowing CISOs to have a voice in this discussion is a really important part of the legislative process that the NTSC helps address. It’s just so critical to make sure CISOs focus their energy on the right problems, provide informed discussion and dialogue about legislative policies, and spread that message. Through the NTSC, CISOs have a huge role to play in the solving of critical national cybersecurity problems.

What are a few examples of ways that you've personally benefited from participating in the NTSC?

Personally, I’ve gotten a better understanding of the entire process around how legislation gets introduced, reviewed, marked up, and ultimately passed. It’s also been very beneficial to contribute to this legislative process by sharing my perspectives through the NTSC Board of Directors. Through the NTSC, I receive a lot of information about what’s going on in terms of emerging laws and regulations. In the financial industry, my company is subject to regulations from a lot of different entities such as the Federal Reserve, FDIC, and OCC. The NTSC is a great source of information from a policy and regulatory perspective—not just keeping us informed about laws, regulations, and policies but also providing me the perspective from my CISO peers about what these laws and policies might mean.

This great collaboration helps not only me but also my team. I bring back ideas to our team about how other companies solve certain cybersecurity problems. We’re all facing similar challenges, so hearing about how other organizations deal with specific problems—learning what they’ve done and hearing about different approaches to the same problem—is really helpful.

Overall, one of the biggest benefits of the NTSC is that it provides me an open, candid forum with fellow practitioners. It’s not vendor-driven. Instead, we collaborate on how we can make our industry more secure. Many CISOs are involved with groups that are either vendor- and technology-driven, or they are tied to our particular industry. What I find valuable about the NTSC is that it brings people together from different industries across the nation. As a result, we get such a broad level of discussion and perspectives. It’s difficult to receive such collective, distilled perspectives any other way. As a CISO, I couldn’t pay to have this kind of access to these particular CISOs and subject matter experts.

For CISOs currently not participating in the NTSC, why do they need to get involved? What are they missing?

If you don’t get involved in these national cybersecurity policy discussions and help drive the agenda, then someone else will. The NTSC provides CISOs a chance to have a voice in the national cybersecurity policy process and impact what’s going on in Washington, D.C. Cybersecurity laws and regulations are going to happen anyway, so I think it’s important that CISOs have a voice in this process.

Another reason to get involved is the ability to work together in a nonpartisan way with top CISOs from around the country. To collaborate with that kind of group, focusing on shared issues and a shared non-partisan agenda, is ideal for CISOs who ask, “How can I continue to grow and develop? How can I give something back to the security industry at a national level? How can I contribute toward how we solve a major cybersecurity policy issue at the national level?” Participating with the NTSC gives them answers to these questions and the opportunity to give back to the cybersecurity industry. It’s a key obligation as a CISO, and the NTSC is a great organization to help us execute that obligation.