Jason Witty is not only Executive Vice President and Chief Information Security Officer at U.S. Bank but he also provides industry leadership in volunteer roles with the Financial Services Information Sharing and Analysis Center (FS/ISAC), ChicagoFIRST, Arbor Networks, Qualys, the Cloud Security Alliance, the RSA Conference, and the FBI’s Chicago Infragard.
Despite that full plate, Witty finds his participation as a board member of the National Technology Security Coalition as essential for his role as the CISO of the fifth largest bank in the United States. In this short Q&A, Witty discusses why he joined the NTSC, why its mission is important, and why other CISOs need to get involved.
Why did you join the NTSC?
First, I wanted to help support an organization that gives CISOs of all industries a specific, distinct voice to describe the pains and challenges that we experience every day. From there, we can then help articulate and enact the requisite policy changes that need to happen on the Hill in order to lessen those pains and challenges.
Second, I found the NTSC an excellent place to have valuable interactions with my peer group of CISOs along with other select senior cybersecurity executives and stakeholders with knowledge about national cybersecurity policy. Getting together and having confidential discussions with like-minded peers on very important topics appealed to me.
Third, the NTSC is an excellent organization to help me increase the level of influence I have personally, professionally, and globally as a CISO.
Why is the NTSC's mission so important?
The cyberthreat environment has outpaced our legislative and, more broadly, our governmental capabilities to deal with it. Companies have been victimized and, yet, they’re treated as perpetrators because it’s so difficult to manage these types of cybersecurity risks.
The only alternative we have is human cognition, and so we need fairly dramatic change to ensure that we can manage the innovation and capabilities that the internet (including IoT) brings with it. And more importantly, we need to manage the cybersecurity risks that global digital connectivity is going to create for our world society in the coming years.
The NTSC’s mission specifically focuses on these issues by uniting both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness—and it’s a unique mission compared to other groups.
How so? How is the NTSC different than other industry trade groups that lobby or influence policy in Washington, D.C.?
The NTSC is one of the few organizations that’s deliberately not industry-specific. Instead, it seeks to be the industry-agnostic national voice of CISOs by having deep representation from every major industry. As a board member of the NTSC, I’m not representing financial services on the Hill but all CISOs from all industries.
That’s very valuable because cybersecurity is currently the number one highest risk boardroom topic according to the National Association of Corporate Directors (NACD). The NTSC is looking at this problem holistically across all industry verticals and asking “What do we do about it?” and “What are the major legislative priorities that should be pushed by CISOs?”
What are a few examples of ways that you've personally benefited from participating in the NTSC?
Meeting with House and Senate representatives in Washington, D.C. has been very helpful in better understanding different perspectives from both the public and private sectors. Learning about best practices and thought leadership from other CISOs has been fantastic and I’ve enjoyed understanding some of the newest challenges that CISOs are facing along with solutions that work for them.
For CISOs currently not participating in the NTSC, why do they need to get involved? What are they missing?
We need to fight our adversaries as a team. No single company can spearhead the level of change that we need for even just the US microcosm alone—much less the global microcosm. The NTSC is one of the very few groups that allow for this kind of focused, high-level, peer-to-peer networking and collaboration that includes closed-door sessions with just CISOs where everybody in the room is at the same level of understanding about what needs to be done.