In SecurityWeek’s CISO Conversations series, we talk to top Chief Information Security Officers from major organizations within the critical industries to discuss the role of the CISO, and what it takes to be a successful CISO.
In this feature, SecurityWeek talks to Mastercard CISO Ron Green, and Ellie Mae CISO Selim Aissi from the finance sector, concentrating on the people problem for CISOs.
One of the biggest changes in security within business over the last two decades has been its emergence from a siloed technical office within the IT department into a mainstream function of the business itself. The CISO has followed, from being a technical expert under the CIO to someone who must now understand business processes, be able to talk business with the business leaders, and be thoroughly immersed and integrated into the entire organization. The CISO may remain under the CIO – which is a complex issue itself discussed elsewhere in this series.
The need to be business competent raises one of the primary questions on the role of the modern CISO: should he or she be a businessperson with some understanding of security, or a technical expert with some understanding of business? Green and Aissi believe it must be both in equal measure.
“I think it’s a balance of the two,” says Aissi. “I think If either one of the two aspects is stronger than the other, then the CISO will not be successful. I think if a CISO is a salesman, a great communicator all the time but doesn’t have the technical chops, then that’s a problem. And if the CISO is way deep into the technology and does not focus on the people aspects, on processes, on communication, then that CISO will also fail. It really does require a good balance between the two.”
Green agrees. He comes from a technical background, doing device exploitation and forensics for the Secret Service. This technical background insures he understands exactly what his technical security team is saying – but the need to understand the business is equally important. “I do a lot of translating to take the very technical issues and turn them into something that the business leaders who drive the company can understand – so they can make informed assessments on best paths based on the way I express the means and concerns of the security team.”
For Green, the CISO is a bridge between the two worlds, and he must have one foot firmly planted on each side.
Aissi believes there are five attributes that a good CISO needs. The first is to be a master of tactics – to be involved with all the operational challenges that arise from security incidents, to be involved with the deployment of tools, and aware of all the operational events happening all the time. The second is to be comfortable talking to people. The range of people the CISO must interact with Is huge, from business leaders to technicians, from risk people to governance, and people in other countries.
The third is to take a strategic (rather than just tactical) view of things. “Being in the weeds all the time is not a good thing,” he said. “The CISO needs to step up, and say, OK, are we really moving forward as an organization; are we maturing the security program? That’s orthogonal to the purely tactical operational aspect — being strategic at the same time as being operational.”
The fourth is being a good communicator. This is essential to being Green’s bridge between security and business. It goes both ways, being able to translate technical security issues into a language that business leaders understand – that is, in terms of risk – and to translate new business processes into technical solutions for the IT and security teams. But the ability to communicate, and enthuse, goes beyond just talking to business leaders – it requires the ability to communicate effectively with everyone in the company, from the board to employees and one’s own staff, and even customers.
The fifth is being a visionary, which takes the strategic requirement to the next level. The CISO, says Aissi, “must be able to see and predict that in two years from now we’re going to see this kind of attack, or this new trending attack pattern, and get ready for that. A CISO can’t be just reacting all the time.”
Mastering these five attributes, says Aissi, makes a good CISO – but the good CISO must have control of them all, all the time. Nevertheless, being asked to focus on one, Aissi answered, ‘people.’ “Hire the best talent, trust them, make sure they grow,” he said.
Aissi warns that there must be enough technical understanding throughout the organization to be able to understand the challenges that exist. “The threat landscape is moving extremely fast in terms of malware advances, and evasion techniques, so it’s difficult to track threats. You also need to have the whole company as aware as possible about security. That requires continuous awareness programs. A new CISO can build all kinds of amazing technologies, but if somebody clicks on the wrong attachment, then none of that is going to work if it leads to a brand new zero-day. The people delivering the threats get smarter every day, and so must we.”
The first ‘people’ requirement is probably the most difficult: ‘hire the best talent’. Given the cybersecurity skills gap, there are too many companies looking for too little talent. “There aren’t enough security professionals to fill the jobs that are vacant,” says Green. “There are more than 350,000 roles unfilled right now and within three years we will be looking at over 1 million.”
The problem is, he added, “there’s no school conveyor belt producing cybersecurity experts. So, we must go and find the talent, because it’s not being created and sent to us.” Mastercard has a couple of initiatives designed to do just this – the most ambitious perhaps being the Cybersecurity Talent Initiative.
“In this initiative, which currently involves Mastercard, Microsoft and Workday,” he explained, “we have partnered with the U.S. federal government. If a student chooses a cybersecurity degree and enrolls with us, on graduation they go and work for the government for two years. There’s about a dozen agencies involved, such as the CIA, the DoD, the FBI and others. The graduate works for them getting real world experience in handling threat actors, whether they are fraudsters or nation states. And after the two years are complete, they have the option of working for one of the three partner companies – and after working a further two years for us, we will pay off their student debt up to around $75,000.”
That’s a benefit to everyone. “The student gets his or her loans paid off, while the federal government gets exposure to talent they would not otherwise get. The government doesn’t often pay as much as the private sector,” he added, “but they offer some really cool missions that can be enticing for people to stay. And then the partner companies get people that have real world experience along with the college background to come and work for us and protect our organizations. It’s a win/win for all parties,” he said.
There is a philosophical problem here. Do large companies that can afford such initiatives cause problems lower down the talent supply food chain by poaching all the top talent? “It can do,” admits Green, but then points out a common attitude among many leading CISOs. “We’re all part of the same ecosphere, often connected by complex supply chains. It’s to everyone’s advantage if the global level of cybersecurity is raised.” Here, he has partnered with the Global Cyber Alliance “to create a small business cyber security toolkit, which provides best practices explaining why a lot of things are necessary, but we also provide a free tool to do things. There are other things we do, like being part of the Cyber Readiness Institute.”
And then there’s Girls4Tech. This is an ambitious STEM education program developed for middle school girls, and not just in the U.S. The aim is to introduce technology as an interest to 1 million girls by 2025. “This year,” said Green, “we have introduced cybersecurity and artificial intelligence into the scheme.”
Bringing women into cybersecurity serves two purposes. Firstly, it increases the overall pool of available talent, because, as Green says, “There are not a lot of women in this space.” Secondly, diversity adds new ways of thinking about problems. It is also worth mentioning that women are disproportionately successful in cybersecurity – there is a higher ratio of female CISOs than there are women in security teams.
Not many CISOs will have the funds for such initiatives – but the principle is clear: CISOs cannot wait for talent to knock at the door, CISOs must go and find and then nurture that talent.
Keeping talent is almost as difficult as finding it. This is what Aissi meant by “Hire the best talent, trust them, make sure they grow.”
“Once you’ve found the talent,” says Green, “you keep them by providing a good mission that does the right thing.” Remuneration cannot be ignored in this – Green (who has already been CISO at Mastercard for six years despite the average span of just two to four years for the life of a CISO at one place) comments, “I remember my days of being a Secret Service agent, having three kids, having to take out a second mortgage to make the right things happen, planning for getting my kids to college… there were a lot of things I couldn’t do for them. Those are not problems for me now.”
This is what the company can do for its staff – but the CISO can also do a lot. “Once we’ve brought the right people here, they need a good mission that does the right thing — you got to love what you do,” said Green. “But more than just providing a cool job, it’s got to be a place that actually encourages you to do the things you have a passion for.” Green has encouraged his staff to be involved with the local community.
“We’ve had a really focused effort on allowing people to contribute in their communities,” he said “If they have a passion for a charity, or want to engage in training people in cybersecurity, volunteer work, we actively support it by giving staff five days for voluntary work. If they work there for 40 hours, we’ll contribute an hourly rate to the charity or organization as a match. If our staff put in the time, we will contribute a salary equivalent to the time spent. People get a chance to do the things they love.”
An important part of keeping good staff is trust. “The company puts a lot of faith and trust in the people they bring on board. I do that with my employees as well,” said Green. Key to this is the CISO forging a strong relationship with the board, which allows the release of funds for the projects that will keep staff engaged.
“The company really wants to invest to ensure we have the right technologies, the right people, and the right capabilities available to us. So, we’ve enabled things like the fusion center. We have a cyber range which allows our people to test our technologies before we actually deploy them in our environment and also gives us a place for our employees to engage in real world scenarios where they can feel they are in the middle of a fight and get experience from it without actually being in a real fight. It’s a great opportunity to create an environment where we can go full-out,” he said. “We can put malware that steals information from our network on it, and allow my team to go in and fix the situation—not in theory, but actually do it.”
Most CISOs will look with envy at what the big companies can afford to do. But the principle is clear. CISOs need to surround themselves with strong, talented staff that they trust. Those people will not come knocking at the door, so CISOs need to be proactive and imaginative within their budgets to go and find them.
Having found talent, an equal amount of effort needs to be spent on keeping them. Budgets may not run to Mastercard’s cyber range, but all CISOs can maintain continuous interest, encouragement and trust in their staff. Technology can only go so far in ensuring cybersecurity – people go the extra mile.