Chief Information Security Officers should be thinking evergreen processes, not whack-a-mole, says Heather Gantt-Evans, CISO at financial services software provider Marqeta. 

“The biggest challenge for the CISO role is a willingness to define a strategy, define priorities and not let your team get distracted by every little thing that pops up,” Gantt-Evans said.  “You can tactically play whack-a-mole, or you can strategically create an evergreen process, system, framework to be able to not be in that place again.

“It’s a balance of making sure that you know if a really bad mole pops up, that you tactically address that promptly. But since you can’t do that for every little thing, you have to be able to stick to a strategy, articulate and align to your priorities, because implementing robust programs and controls takes time, and so you have to be committed and grounded in that journey.”

Gantt-Evans served in the U.S. Army Reserves as an all-source threat intelligence analyst, and supported Air Force Cyber Command as a contractor, focusing on cyber threat intelligence and integration of intelligence into security operations. On the corporate side, she consulted with Ernst & Young to develop Fortune 100 cybersecurity programs across multiple industries; was the CISO at identity security software provider SailPoint; and served in a deputy CISO capacity at the Home Depot. 

Gantt-Evans’ work with the military has led her to take a very threat-centric approach to how she seeks to communicate, understand and manage risk. In the military and at E&Y, “I also got used to the concept of operating like a SWAT team,” she said. 

“You’re read into new projects and new environments without a lot of context beforehand, and you have to manage through that ambiguity,” she said. “The adaptability to manage through ambiguity gives you a more grounded risk tolerance. You’re never going to know all of the facts, so being comfortable managing through that is key. “

In the course of her career, Gantt-Evans has gradually gone to smaller and smaller organizations, concluding that “I really value being able to reach people and put my arms around the environment.” 

“The ability to feel that sense of completion when you’ve rolled out a security control is very important to me and my integrity,” she said. “Sometimes when you’re in these super large organizations, it’s simply not possible to achieve that. And so that’s something I’ve sought out in my current role, the ability to ensure that I can put my arms fully around the people and the infrastructure.” 

One thing that’s top of her mind is exploring whether there are smarter ways to define operating models. 

“We have to rethink how we operate so we can present ourselves as a singular voice to the rest of the company on what needs to be remediated,” she said.  “Five or six years ago we were not talking about the same capabilities that we need in place. For example, now there are API security tools, there are attack surface management tools.

“And it’s not as clean of an operating model as it used to be, where maybe you had an endpoint team focused solely on endpoint agents, and a security operations team focused just on monitoring threats. Now we’re finding ourselves needing to have a lot more cohesion across services, a lot more cross training and redundancy in people. Teams’ mandates can overlap, so we can’t continue to operate in those silos that we used to have that were very clean cut.” 

Gantt-Evans envisions the CISO role possibly evolving to focus on all digital risk, which is more broad and nuanced than just information security, and could include things such as disaster recovery, she said. She also sees the role possibly evolving into more of a resiliency role, or a customer trust role. 

“I hope to see a future where there’s a lot more discussion about succession planning for your CISO, and how to elevate effective CISOs into some of those other broader branches within the organization,” she said. 

Gantt-Evans said it can feel like Groundhog Day when asked to identify trends in cybersecurity, “because the trend is that it’s always accelerating in terms of the technology and the tactics the adversaries are taking.” This last includes adversarial integration of AI to help more automatically discover and exploit vulnerabilities, and to make more compelling social engineering content.

She’s noticed that CISOs aren’t job-hopping as much as they used to, and welcomes that mutual commitment of security leaders and companies, given that cybersecurity transformations take six-plus years to do effectively, she said. 

“SolarWinds led the way by sticking behind their CISO during that event. I think it proved to the world that you don’t have to scapegoat your CISO to make it through a cataclysmic cyber event,” she said. 

“Second, CISOs have been around a little bit longer, and there’s greater understanding of what they do. Thirdly, some of the policy directives coming out of the SEC and other bodies really emphasize the importance of a strong security team and strong security talent at the board level. All of these things have culminated in less fear on the CISO’s part of needing to get out before something happens, and more commitment and understanding of cybersecurity risk and how to address it.”

 Companies might need different types of CISOs at different stages in their lifecycles, she said. A company that needs to push the engineering and development organizations to make change might need a CISO with a strong engineering and development background. Sometimes companies need a CISO who is more adept at speaking at the board and executive levels to inform and educate and reassure, she said. 

“It very much depends on the stage the company is at with regards to security culture and awareness, and the company culture itself,” she said.   

When CISOs are doing the hiring, Gantt-Evans thinks they need to be “a lot more creative in the non-traditional backgrounds that map really well to some security roles.”

“For example, I’ve had great success hiring teachers into security training and awareness leadership roles,” she said. “I’ve had great success hiring healthcare lab data scientists into vulnerability management roles. So I believe thinking through the competencies and what non-traditional backgrounds might exhibit those really strongly is a great way to add increased diversity in your team. And lastly, I would highlight that you can do so much with people who are passionate. Some of the best people I’ve worked with were self taught.” 

How she decompresses from her high-pressure job changes with the seasons of life, Gantt- Evans said. 

“Right now, I’m enjoying being very bored outside of work. I’ve been doing things to focus on slowing my nervous system down – red light therapy, meditation, enjoying stillness, watching my kids play,” she said. 

“But when I’m feeling in a more outgoing season of life, I really enjoy purchasing tickets to be entertained. I feel like in our virtual world, we do so much performing by nature of being on screen. And so I really enjoy going and having a comedian or a musician or a ballet troupe or a theater troupe perform. I find that so relaxing to be able to take a step back, go into somebody else’s artistic world and not have to perform.” 

 

The post CISO Spotlight: Heather Gantt-Evans, Marqeta Chief Information Security Officer appeared first on Security Current.

Many people are looking to break into cybersecurity, but without experience, it can be tough to get a foot in the door.

Arif Hameed, Chief Information Security Officer at C&R Software, advises looking into cyber-adjacent roles.

“My pathway started with software quality assurance, and that pivoted to IT audit, which was my springboard to cybersecurity,” Hameed said.

“Another path is through the help desk, which can get you into incident response. Or if you’re into quality assurance or software development, you can get into application security. A role as a site reliability engineer can lead to a position in cloud security. There are a lot of cybersecurity-adjacent roles that overlap and can pivot you into the cybersecurity role you want. Get yourself industry-recognized cyber certifications and in parallel try to build on your experiences.”

Serving business

Hameed’s current company develops software for credit risk management.

“Because we’re tied into banking customers, security is extremely important,” he said. “At the same time, we reached the conclusion that it’s not just a technologist role, but something that has to be in service of the business rather than in service of security per se.”

The transition from technologist to business enabler marks a major evolution in the CISO’s role as the job becomes more visible and elevated in an area of increasingly frequent and sophisticated breaches.

“You have to have the technical knowledge, but you have to understand along with the technology, what is the actual business risk?” said Hameed, who expects to see many more regulations as attacks mount, with a tighter push on security and privacy.

“As you move up the corporate ladder, the ability to communicate is vital. You need to avoid jargon, and business leaders don’t want to hear FUD – fear, uncertainty and doubt,” he said. “They want to be realistic. So you want to be a true risk manager. Look at the big picture of the war at hand and pick your battles. Win the war, not a few battles here and there. “

Evolving role

As the role of CISO evolves, Hameed sees many CISOs taking on the position of Chief Technology Officer, and others becoming Chief Privacy Officers.

“The role is evolving, but it depends on the organizational need,” he said. “What the CISO means for an organization that’s in technology is potentially very different from an organization that’s in health or finance or manufacturing.

Before joining C&R, Hameed was the inaugural CISO at Munich Re New Ventures and Senior Director of Client Cybersecurity at Equifax. Previously he held security roles at TD Bank, and worked in information technology audit and IT risk at Royal Bank of Canada (RBC).

Customer-focused

“I’m very much a customer-focused CISO dealing with external customers, so my experience in the financial services and managing external, internal and customer audits was invaluable,” he said.

“Customer trust is a big component. There is a lot of focus on third party risk. We’ve had a vendor that assists us with questionnaire responses, and we use another vendor for our Customer Trust portal. But it’s critical to create a process of making customer due diligence efficient, especially if you’re a CISO who is very customer facing.”

A good CISO has to be calm under pressure, Hameed said.

“Security is a very challenging field because it’s constantly changing,” he said. “You’re responsible for other people’s livelihoods. If there’s a major breach, you’re not just worried about your own head rolling, you’re also responsible for revenue implications for your company.

“Unfortunately, a number of people have been burned out and moved on to different roles, or even downgraded themselves. They still want to be in cybersecurity, but they don’t want to take that responsibility.”

Time off

Hameed encourages people on his team to take time off as needed, and ensures that he does at least semi-monthly in-person meetings, as well as team lunches.

“I want to have an informal and collaborative environment,” Hameed said. “I’m approachable. If anyone wants to speak to me, it doesn’t matter if you’re not my direct report. Culture is important.”

To relieve the immense pressure that comes with the job, Hameed walks and has recently taken up squash and pickleball.

“I get a lot more out of it than doing the treadmill or some other exercise, and it’s fun,” he said.

The post CISO Spotlight: Arif Hameed, C&R Software Chief Information Security Officer appeared first on Security Current.

The board doesn’t care about your EDR solution, says Marco Maiurano. The board doesn’t care about your GRC platform, either.

“I know these are controversial statements, but boards want to know risk,” said Maiurano, the Chief Information Security Officer at First Citizens Bank. “They want to know metrics. They want to know the business impact.

“They want to know why you are investing where you’re investing. How are you reducing and mitigating that risk so that they can be assured that you are doing everything you possibly can to reduce the risk as much as you can, and allow them to make sure that they can effectively challenge and govern?

Maiurano was introduced to the notion of risk management as director of cyber threat intelligence and the cyber defense center at AIG, where the hot new topic about a decade ago was cyber insurance.

“When I think about how most folks talk about cyber, we love to talk about technical stuff, but we fail to think that not everybody is a cyber expert. But what a lot of business leaders understand is risk and risk taking,” he said.

Cyber wasn’t even on the radar when Maiurano was in college. As an anthropology and microbiology major, he dreamed of moving to Africa to study epidemiology.

But after graduation he needed a job, and as an intern at Verizon, he unexpectedly found himself managing a team of 100 union employees on the network operations team at the World Trade Center in Manhattan. That office disappeared in the 9/11 attack, and he ended up helping to rebuild Verizon’s infrastructure at WTC.

His next job was running the SAT program for the College Board, with responsibilities including cybersecurity. Cheating was undermining the validity of the exam, so he started doing social media monitoring to try to contain it.

Citigroup then recruited him to help build a cyber intelligence center there, and cybersecurity positions at AIG, Barclays and First Citizens Bank followed.

In his current job, he was tasked with building an information security program from the ground up.

“The board and the executive leadership team had the foresight to say, ‘Our aspiration is to get bigger, and with that comes higher risk. And cyber is one of the key top risks to the organization. So they wanted someone to come in and build a program that would be able to scale,” he said.

Maiurano started almost 3 ½ years ago with a team of 14 people that has since grown to 500  as acquisitions catapulted First Citizens from a regional bank to a national one, opening up a significant amount of regulatory scrutiny.

His experience with risk management has served him well.

“I think the experience from having risk background and the pure operations background positioned me really well with the board at First Citizens because I am able to have a very risk-based conversation around the threats I’m seeing,” he said.

In many large industries, Maiurano sees the role of the CISO becoming more of a true executive role.

“There’s not one board conversation when you’re not talking about a cyber attack or some type of resilience. Regulators are driving a lot of this, but I think boards, at least in financial services, are making sure to engage with CISOs, and there’s an expectation that there is board exposure to the CISO.

“The CISO is not the person in the back room now making sure you’re patching your stuff and writing your reports,” he said. “The role is really around how am I partnering with the business to make sure that I can match their aspirations of where they want to take the organization. And eventually, I have a feeling that you’re going to see more CISOs on boards.”

Maiurano’s biggest challenges today are the regulatory environment and the dynamic threat landscape.

“It’s good and it’s important that we have regulation, but managing it takes an army to do that,” he said.

“And the threat environment is constantly evolving. One of the challenges is to make sure  your board, your executive management team, the folks who own the funding, understand that. Peers have said they’ve been asked, ‘Well, nothing’s happened yet, so why should we continue to fund?’ And that’s a really hard conversation to have it you don’t have data and you don’t understand risk.”

The ever-changing threat environment means CISOs must try to keep pace with malicious actors as they use new technologies such as artificial intelligence.

“You don’t want to bring a knife to a gunfight,” so you want to make sure that you are understanding where things are changing and going,” Maiurano said. “Technology is not going to stop, and we’ve got to figure out how to lean into it and make sure that we are leveraging it for good as well.”

CISOs not only have to identify risk, but they also operate the controls to mitigate it. The constant inundation with data, the constant analysis, and the constant efforts to rationalize
create relentless pressure, and that takes a toll on security practitioners, Maiurano said. That makes watching out for the team’s well-being yet another challenge

“Burnout is real in our industry,” he said. “How do you make sure you’ve giving people rest? How are you making sure people are thinking about their health?”

Maiurano decompresses with martial arts – Brazilian jujitsu and Muay Thai. He also loves to travel with his family, with trips to Iceland and Easter Island in the offing.

Does he regret not going into epidemiology or anthropology?

“People often ask why I’m going to do when I retire, and I say, just be an anthropologist. It might be something I would go back into, but I don’t regret not having done it as a career,” Maiurano said. “My philosophy on life is you just go where it takes you. I don’t try to plan everything because as much as you plan, someone else has got another plan for you.”

The post CISO Spotlight: Marco Maiurano, First Citizens Bank Executive Vice President, Chief Information Security Officer appeared first on Security Current.

Interacting consistently with business leaders has allowed Anahi Santiago, Chief Information Security Officer at healthcare provider ChristianaCare, to win a coveted seat at the table.

“When I moved to ChristianaCare, one of the first things that I did was schedule time with all of the executives,” Santiago said. “And my approach wasn’t, ‘Here’s why cybersecurity is important,’ but to ask them, ‘What’s important to you? What are your challenges? What are the outcomes that you’re looking to achieve? And then let’s have a conversation about how I can help you through cybersecurity.’ That has helped to build the trust that has given me continuous invites to the table.”

Santiago began her career running all of the large global infrastructure projects for Unisys. “All of the areas I worked in had a cybersecurity component to them, and I just gravitated toward it. I just found the topic of security to be more interesting than other IT components,” she recalled.

Although “you couldn’t put a price on the knowledge I was gaining at Unisys,” she said, she was bartending to make ends meet. A contact there told her about an information security job opening at Einstein Healthcare Network, and that was the start of almost 20 years of healthcare cybersecurity experience.

“My husband reminds me all the time, ‘Not everybody loves their job like you love your job.’ I’m lucky,” she said.

Santiago’s background is in electrical and computer engineering, and her analytical mindset and a thirst for learning have shaped her ability to succeed in the ever-changing world of cybersecurity, she said.

But she is also a business-focused executive who puts a premium on translating complex technical concepts in a way that clinicians and business leaders can understand.

“By understanding their challenges I can help them to achieve their outcomes while building the trust that’s needed to create a culture of cybersecurity where we’re designing cybersecurity into strategy as opposed to bolting it on,” she said.

When she joined Einstein, there was no security program, so it was up to her to build one and convey its importance to executives and clinicians. That required getting to know the business.

“Taking that approach of getting to know the environment before just coming in and wielding controls that could potentially kill people was really important,” Santiago said. “And I’ve sustained that approach at ChristianaCare.”

This responsibility toward the lives and well-being of patients puts healthcare cybersecurity in a realm of its own, Santiago said.
“I think a lot of people who work in healthcare, specifically in the provider space, are mission oriented. We all get up in the morning recognizing that what we do is really impactful to people’s lives, not just to the bottom line,” she said.

“I’m often asked, how do you want to be remembered? I want to be remembered by a legacy, people thinking about the impact I had on healthcare, how I helped the industry evolve and improve. I think we all have a passion and a mission, and as executives, we really have a unique opportunity to drive meaningful change.”

Mentorship is a topic close to Santiago’s heart. While many information security professionals fret about a lack of skills and talent, she has a different perspective.

“I think part of our roles as industry leaders should be to build and infuse the talent in the industry by not just looking for the tenured unicorn who has 15 years of experience and commands a ton of money,” she said. “We should be finding the people who are hungry to learn, hungry to contribute, and give them an opportunity by teaching them.

“I would rather hire somebody who doesn’t have any cybersecurity experience and give them the foundation to grow than to hire somebody I’m going to lose a year from now because the market is so competitive. So our approach to building our team is generally to look for that entry-level talent that is hungry to learn and contribute, teach them cybersecurity, elevate them through our team, grow them into senior-level roles, and then utilize them to then mentor the new generation of cybersecurity professionals.”

As an industry veteran, Santiago has seen the CISO’s role evolve from technologist to business leader, and she expects it to be elevated further, with increased influence, responsibility and posture within the organization. In many healthcare organizations, the position has merged with the role of Chief Technology Officer, she said. “And I won’t be surprised if sometime in the next decade the trend will be for information technology or other areas of the organization to report to the CISO,” she added.

The threat landscape is also evolving, with malicious actors transitioning from the guy in a basement to full-fledged companies with the ability to grow a lot faster than information security programs can just by nature of budgeting dynamics, Santiago said.

“For healthcare, the challenges will be around the fact that the four walls of the hospital are disappearing and virtual care is here to stay,” she said. “And so building architectures and capabilities where we have the same level of visibility as we do inside the four walls of the hospital is going to become critical.”

That’s going to be especially challenging at a time when healthcare budgets are getting tighter, she said.

In an era of CISO burnout, Santiago is a firm believer in work-life harmony. Years ago, she used to work 14 or 15 hours a day, but when she went to do an executive MBA, she had to cut back.

“Nobody noticed. My performance didn’t degrade, evaluations didn’t degrade, and at that point I realized, I’m not going back. I really believe in turning it off at the end of the day, and moving out to running marathons, going to dinner with my husband, and traveling,” she said.

“I’m intentional about drawing a line between work and my personal time, and I’m really protective of this. I think this is a message we need to make sure we’re delivering, and I’m certainly delivering this with my team.”

The post CISO Spotlight: Anahi Santiago, ChristianaCare CISO appeared first on Security Current.

Looking toward the future is what guides Dr. Jamaine Mungo, Chief Information Security Officer at Philadelphia International Airport.

“I  see myself as a captain on a ship, always looking ahead toward the horizon, not just thinking about now, but thinking about the future,” Mungo said. “That helps me to really look out to see what’s coming down the line so that we can be prepared to be proactive and not reactive.” 

Innovation is a major pillar of his security program.

“When I speak of innovation, I’m looking at automation and the use of AI to really help dig into the data so that it is beneficial to our environment,” Mungo said. “My team does a great job at ensuring the required controls are in place and maintained to keep us moving ahead and planning for the ‘when,’ not the ‘if.’ I’m really excited about that.”

Staying innovative is his top advice to security practitioners just entering the field.

“Coming in, you’ll see many problems,” he said. “Bring that level of new eyes on a problem to develop a strong solution so it will never be a problem again.”

Having started on a customer help desk, listening to users and hearing their problems, was a formative experience.

“Having a customer service base, and then turning problems into solutions, has helped me evolve over time,” said Mungo. “Throughout my career I have kept that in my back pocket.”

Before arriving at Philadelphia International Airport this year, Mungo secured government agencies and corporations, with roles at Lockheed Martin, Comcast, and the Office of the Attorney General of New Jersey. His experience has given him a grounded understanding of what it takes to secure environments big and small, helping him to know what areas to lock down to keep that level of security at an optimal presence, he said.

The sheer size and complexity of an airport is a challenge but being prepared along with having a plan in place is very important.

“But I’m always optimistic, knowing that I have the proper resources in place, all the proper controls in place, to ensure that the environment stays secure, that flights can take off and land, and passengers are happy,” Mungo said. 

Sharing knowledge has always been a big part of Mungo’s professional life. At PHL, knowledge-sharing has come to play an even bigger role.

“Within the aviation industry specifically, there’s a huge component of knowledge sharing, through forums and groups,” Mungo said. “Ten, fifteen years ago, there was not a lot of knowledge sharing. But now, with a constant level of threats, and potential impacts on an environment, people tend to share. Knowing what’s going on in someone else’s environment can help you out on your own, so you’re not spinning your wheels in the mud trying to figure something the next person has already figured out.”

The landscape on which CISOs operate is so wide that they have to wear many hats when it comes to governance, risk, compliance, vulnerability management, threat intelligence, and talking to senior management and the board, Mungo said. Another crucial component is knowing the business, he added.

“You’ve got to know how the business operates, how it functions, how it makes money, who the key stakeholders are, and what’s being done to grow the business,” he said. “Knowing how the business functions allows me, as a CISO and a leader, to function and be aligned with the business.”

Looking ahead, Mungo sees already-prolific ransomware attacks getting smarter day by day.

“The reason they’re so successful is because they prey on the user sitting behind a keyboard,” said Mungo, author of Anatomy of Cyber Attacks: Exploitation of the Weakest Link. “Companies have invested millions of dollars into using protective solutions to secure their environments, but all that gets compromised when a user gets exploited. That’s the biggest trend I’m seeing over the years, exploiting the actual user.

“Another trend I see is adversaries targeting third party companies, because they have  fewer controls in place. So I would say having a strong third party risk management program in place is crucial.”

As an industry veteran with more than 25 years of experience, Mungo has accumulated a great deal of knowledge that he is committed to passing on.

“I’ve always been a big fan of giving back to the community or to academia,” said Mungo, who holds a doctorate in Cybersecurity and has been a professor at Cornell University, Purdue University and North Carolina A&T State University.

“When it comes to academia, I know that I’m giving back to the next generation of leaders and equipping them with the knowledge and toolsets that will help them in their career or to get started in the career they make and help them excel.”

Successful CISOs listen and learn, Mungo said.

“You’ve got to have that customer service base level. Are you talking to people? You’ve got to know how to listen to people, first to understand the problem, and then to develop a solution.”

They also need to set goals and objectives, and know how to articulate messages if they want to influence and lead, he added.

“We’re talking to a wide range of people, so having the ability to communicate is definitely key,” Mungo said.

Mungo is deeply committed to community service, serving as president of the Kappa Iota Lambda Alumni Chapter of Alpha Phi Alpha Fraternity, Inc. , which honored him with the Leader of the Year Award for his dedication to community development and engagement. He leads various regional programs supporting youth development, college preparedness and career development.

“I’ve always been an advocate of supporting, uplifting and serving the community, to give them what is needed to thrive,” Mungo said.

Aside from his community work, Mungo spends off-duty time running, going to the gym, and playing football and basketball to relax and decompress.

“I tell my friends, you don’t just have to work,” he said. “Have something else to do to really balance yourself after your day job. I do that all the time. It helps with release of stress to focus on something other than work. Burnout is really real.”

The post CISO Spotlight: Dr. Jamaine Mungo, Philadelphia International Airport CISO appeared first on Security Current.

Innovation is key to staying ahead of the curve on cybersecurity, and at Wintrust Financial, Chief Security Officer Jack Burback has established innovation teams to create new resources and develop subject matter expertise.

“We take volunteers from each of my teams, representing fraud, access management, information security, corporate security and the like, they look at all of the different threats and opportunities that we have, and then they create recommendations,” Burback said.

“They formulate a training curriculum, identify use cases and different technologies we should consider. One of our goals is to develop a subject matter expertise group within our team that can evaluate the space and provide recommendations on how we could move forward, as well as help support the business when it has questions.”

The first team was created around artificial intelligence, and another is considering the future of financial services.

“The team members, who meet virtually, really like it because it’s not part of their daily job, and they really get to think outside the box,” he said.

Burback started out in the industry doing information technology consulting, then joined HSBC to help build out its global security programs for incident management and third-party risk management.

At HSBC, he saw an excellent opportunity to strengthen his understanding of the financial industry.

“It was pretty obvious to me that most of my strengths were in the technology side of things, and that I really needed to expand my understanding of business to be a better leader and business partner,” he said. “So that’s why I went to get an executive MBA.

“These days, to be a successful CISO, you have to understand the business. If you’re strictly focusing on it from a technology or risk perspective, you’re going to miss a lot of the opportunities to support the business by reducing the risk as it moves into different areas or considerations.”

After several years at HSBC, Burback moved to security integrator Forsythe Technology, advising Fortune 1000 customers on building security programs. He then pivoted to the startup world, building Ionic Security’s services program from the ground up.

A former HSBC colleague brought him into Wintrust as his deputy CISO. He was appointed chief security officer nearly three years ago, with responsibility for information security, access management, fraud and physical security.

“Part of information security ties back to the physical controls around protecting information,” he said. “A large part of fraud is also tied to technology components. And so we decided as an organization to bring those together since there was quite a lot of intersection, and it’s worked quite well.”

Burback’s wide-ranging experience has given him “a unique opportunity to see both how the vendor side works, in addition to the corporate side, from a financial services perspective as well as professional services,” he said.

At Wintrust, Burback places an emphasis on bringing in good talent and developing the team. He offers a well-defined career path that includes getting team members the training and opportunities they seek to make an impact within the organization.

“If we’re able to continue to challenge them and bring them new opportunities, I think it goes a long way,” he said.

He has also developed a program to help recent college graduates get a foot in the door.

“You don’t have very many positions at all in the industry for entry level recent graduates. So we’re seeing individuals with master’s degrees in cybersecurity taking internships because they don’t have entry level positions available to them,” he said.

“We created a rotational program where we’re taking recent college grads full time for two years, and each six months they work in a different area of information security. This program makes them very well rounded, and they can take a position somewhere in the team when that opens up. It also gives them a better understanding of what they would like to do in the information security space, where there is such a broad array of jobs.”

Becoming well-rounded is his top advice to all new security practitioners.

“Don’t pigeonhole yourself in one area. You really need to understand the full scope of the information security space as a whole by leveraging opportunities to expand your role and ongoing training.

The other big piece is to understand your business, he said.

“Start to network within your organization with those who are not on the information security team to understand different departments, what’s important to them, and what makes the company successful as a business,” he said.

“That gives them some great visibility to why the business may push back or have concerns with certain controls, or how their requirements may change over time.”

Five years ago, Burback and a group of other CISOs founded a not-for-profit called ChiBrrCon, which mounts an annual conference in Chicago to help develop information security talent, and to provide networking and other opportunities for people trying to get into the business.

Outside of work, Burback, his wife and four children are very active, going boating and fishing and camping. He serves as assistant coach on his boys’ hockey team, and plays a lot of hockey himself, as goalie.

“There’s a direct parallel to my playing goalie,” he said. “It’s been pointed out many times that it correlates to my profession.”

The post CISO Spotlight: Jack Burback, Wintrust Financial Chief Security Officer appeared first on Security Current.

There’s much talk these days about the need for CISOs to develop business acumen and position themselves as business leaders, and not just security leaders.

Mandy Andress, Chief Information Security Officer at Elastic, came into the industry two decades ago with those chops, putting her way ahead of that curve.

“Because my background is in business and I have a strong understanding of business and financial aspects, I was able to really focus on what’s a realistic and pragmatic security program, and to align with the goals and objectives of the company I was with,” said Andress, who has a bachelor’s degree in accounting.

That’s been useful when competing with other units in a company for scarce resources.

“There’s always a resource crunch – money, people – and that’s not just security. So it’s a question of how to make the case for why this investment in security is the best investment compared to all of the other areas across the business that are asking for investment as well,” she said.

“It’s understanding and tying it to business goals and business objectives, to help senior leadership and executives make an informed decision on where to allocate that capital and those resources.”

The CISO job is certainly getting less and less technical, Andress said.

“Pretty much all of my focus now is just understanding the strategic picture, both of where the company wants to go, and what that means for adjustments or new things we need to focus on as part of the security program,” she said. “It’s tying it to customer impact, revenue impact, those things that are aligned with the terminology and focus areas of other executives across the organization.

“It’s also helping folks – certainly within the security team – find the comfort of what’s good enough for the organization, and what priorities need to be worked on. “

A lot of people get into security because they love continuous learning, and Andress puts learning front and center for her team, including time to try new things and shadowing projects with other groups, in addition to conferences and other standard forms of training.

That ties in to a major trait Andress thinks a successful CISO should possess: curiosity.

“First for me is always curiosity, and seeking to understand what do we need to focus on, or human behavior, and asking questions and understanding why this isn’t the best approach for you and your team,” she said.

Calmness is another desirable trait. “When something happens, people do get afraid and nervous, and as a security leader, folks are looking to you to lead them through events. If you’re nervous and scared, that just makes everyone around you feel that way, and sometimes makes situations worse.”

She also values the ability to question or challenge oneself, because security is moving so quickly.

“What we’re doing today isn’t necessarily the best way or the most effective,” she said. “We have to be OK with spending six months working on a project and deploying it, only to have it be almost irrelevant because something changed in the world that we couldn’t necessarily anticipate or control.

“At the same time, we want to be proactive and try to anticipate. That’s where the challenge comes from. You don’t always want to be reactive.”

Andress has a rolling, 18-month strategy that is reviewed quarterly, to see what’s changed in the threat landscape, the business roadmap and the business objectives, and adjust as needed.

“For me, it’s focusing on a risk-based, risk-driven program to drive those priorities, and always questioning and trying to ensure that we’re spending our time on the most important areas and topics that will have the most impact from a risk mitigation perspective,” she said.  

Andress got into technology at the recommendation of a professor.

“I’ve always enjoyed tech, but didn’t quite understand at the time what kind of a career path there would be. And I was really focused on business,” she recalled. “So I was in an accounting information systems class and this professor pulled me aside after class one day and said, ‘Hey, you’ve got a knack for this.’ Have you ever looked at this systems auditing focus? I think you’d be good at it.’ So I got an internship in that area and moved on from there.”

That pivot included obtaining a master’s degree in management information systems. Andress set out on her professional road as a systems auditor, then moved into design, architecture and solution generation for security. 

“I found that I loved the combination of understanding an industry, a business, a culture, a tech stack, and putting all of that together to craft a security program for a company,” she said. “And that’s what I’ve been focused on the last 20 years.” 

Another inflection point was California’s passage in 2002 of the first Data Breach Notification Act, which “put me down the rabbit hole of really looking at and understanding how to apply old laws to new technology, and the challenges that created.”

That piece ultimately set her on a path to law school, studies that helped her interpret and apply regulations and language into a security program.

The bulk of her career before she joined Elastic was spent at MassMutual. She’s also served as an adjunct faculty member at the University of Massachusetts Amherst, and advises several venture capital firms.

At Elastic, she is responsible for all things related to cybersecurity and data security. Innovations she has initiated include an emphasis on transparency.

“Coming in, I was really focused on maintaining a high level of transparency, because the more folks understand, the more it’s real to them and they can see their role in it. Past organizations I’ve worked in security was super secret, and that created a whole other path of people not necessarily understanding what was happening,” she said. 

“There are a few things you can’t be fully transparent on, but there’s a lot more we can share than I think we often think we can,” she said. “And the more you do that, the more you help the rest of the company understand what’s happening. Folks want to do the right thing, but they often don’t know what that is for them. So just helping build that awareness and that education, tied to something that is tangible to them and their day-to-day life, something critical to their livelihood, breaks down some of those barriers and silos.”

Andress’ strategy for managing the high-level stress that comes with the job entails  compartmentalization, and disconnecting with her three teenagers, two dogs and two cats.

“As a CISO, you’re on 24/7, but I’ve been able to compartmentalize better over the years, whether that’s out with the kids or playing with the animals, finding those things to help create that disconnect,” she said. “That’s something that was really helpful for me to learn and do over the years.”

The post CISO Spotlight: Mandy Andress, Elastic CISO appeared first on Security Current.

Oded Blatman is a strong believer in the convergence of business objectives with security imperatives. As a security and business leader, he is deeply committed to building world-class teams and taking a strategic approach to risk management that always balances the needs of the business with the realities of security. 

“I’m good at taking companies and building innovative security strategies and programs to help meet future business objectives,” said Blatman, Chief Information Officer and Chief Information Security Officer at Fireblocks, whose platform allows financial institutions to securely manage digital assets and cryptocurrencies across a wide range of products and services. 

“My expertise is building and guiding high-performing teams of experts, and bringing the right strategy in a holistic program to help the company realize its strategic business goals three or four years out.” 

Blatman’s professional journey has taken him from a long career in defense to cloud software, finance, and now Fireblocks, where the many strands of his experience come together in what he considers the apex of his career. 

“I needed to utilize all my knowledge in finance, defense and cloud computing and security to meet the challenge of Fireblocks. Fireblocks is a place where I put all my knowledge, skillsets and dreams in one place.” 

Having founded two startups himself and worked at major companies, Blatman adamantly believes that CISOs need to see the wider picture of the business and its goals, stakeholders, constraints and dependencies. They also need to be strategic planners, with visions of where they want to be two to three years out. 

Because CISOs can’t make their companies 100% bulletproof, they have to balance risk, threats and operational usages delicately, he said. 

“If you cannot balance and work in the gray area, and you’re only black and white, you will not succeed,” he said. “The art is managing the risk.” 

CISOs definitely should be sitting around the leadership table as executives, reporting to CEOs, Blatman added. 

“They have to translate business and financial objectives to infrastructure that should be secure and innovative, and bring efficiency in everything that the business is doing,” he said. 

He envisions the role merging with the position of Chief Information Officer or Technological Chief Operating Officer, especially at medium and small companies, to streamline processes and enhance operational efficiency. 

“I truly believe that for medium and small companies, the CIO and CISO merger makes the work

much more efficient,” said Blatman, who has served in that dual role twice. 

“Both must analyze the business objectives and translate them into a practical work stream while understanding efficiencies and other stakeholders requirements. A CISO-CIO can streamline a lot of the pain points. Everything can get prioritized more efficiently for the business, with information systems and security working in harmony rather than conflict. It’s providing the business with information and technological infrastructure that is both efficient and secure in the first place, without prioritizing one over the other.” 

Blatman began his professional road at Israel Aerospace Industries, a leading Israeli defense company. 

“I was fascinated by the challenge of taking really big projects, analyzing them, finding technological solutions, then tailoring all the technological pieces back together and making sure that this system is serving its purpose of protecting citizens or critical assets,” he said. “Working for the defense industry, with cutting edge technologies, and doing a lot of sophisticated innovation engineering to provide systems that save lives gives you a sense of purpose.” 

Burgeoning demand for cybersecurity spurred him to leave IAI after 11 years to open his own companies. One developed offensive security for critical markets, while the other consulted on technology and strategy. That experience matured his perception of conducting business by exposing him to things outside the scope of security like go-to-market strategies, finance, product development and R&D. 

“It enabled me to understand the business aspect of where technology and IT and security fit in the business,” Blatman said. “That’s become a really important thing for CISOs these days. They’re expected to be business leaders, and not just to keep the place secure at all costs.” 

In the ensuing years, he rejoined IAI as CISO, then pivoted away from defense to become CIO and CISO at ClickSoftware, a cloud technology company later acquired by Salesforce. He led the M&A security due diligence for the $1.4 billion acquisition, which had faltered a year earlier over security concerns. 

“It was the first time I actually led a global operation of strategic long-term planning,” he said. “That was a significant transition from where I had been.” 

After the acquisition, he stayed on for another year, becoming part of one of the biggest security teams in the world. A desire to learn about the financial industry took him to Bank Hapoalim, where as CISO, he led global security activities for Israel’s largest bank. From there, he moved on to Fireblocks. 

Fireblocks provides a suite of applications to manage digital asset operations and a complete development platform to build business on the blockchain. As a digital assets company, it must

be at the high end of security. 

To succeed, a CISO has to get the engagement of the different stakeholders in the company. The art is to balance the business and other stakeholders’ objectives with security, Blatman said. 

“This doesn’t mean that security is deprioritized, but it does mean managing risk between security and operations,” he said. “I believe a good security practice is about implementing direct and compensating security controls that will enable the company to keep its operations trajectory but still do it in a secure manner.” 

Communication between the security team, management and peers is therefore key – as it is for any CISO, he added. 

“Many CISOs come with the attitude, my way or the highway. That doesn’t scale. It needs to be a team effort,” Blatman said. 

Because of the nature of crypto and related security threats, Fireblocks invests heavily in innovations and putting the highest bar of resiliency and protection in its technological stack, the development processes, monitoring and the security culture. 

It’s also always on the lookout for the next wave of threats and therefore engages with many early-stage startups, serving as a beta site for promising technologies and integrating useful platforms. 

Ultimately, however, Blatman’s guiding principle is that “everything you do is around people.” 

“People are not machines. They want to be developed. They want to be heard. They want to be reinforced and backed up, especially when they’re failing. And failing is part of the business, because if you’re not failing, you’re probably not doing something that is sophisticated and meaningful enough or innovative enough to move the needle. Take care of your people. You’re as successful as they are.” 

For many years, Blatman had no outside hobbies, because time was too short. It took a toll, and he is painfully aware of the burnout sweeping across the industry. But about a year and a half ago, after his young son left him alone with the Lego model they were playing with, he began to take an interest in crafting, building airplanes and other models. 

“It gives me tons of joy, disconnecting for hours,” he said. “It gives me silence to paint and be creative, and learn new things like putting in electricity, and doing programming that I haven’t done for a long time.” 

He also likes to cook and hang out with his three children. 

“It’s really important to have something outside of work; otherwise CISOs burn out very fast,” he said. “You’ve got to have some other things in mind besides risk, 24/7 operations and security all the time.”

The post CISO Spotlight: Oded Blatman, Fireblocks CIO & CISO appeared first on Security Current.

Adam Fletcher didn’t even know what cybersecurity was when he got into it. But he had a knack for computers, and a friend persuaded him to join a startup that was installing firewalls when most companies were just buying their first T1 internet connection.

That random exposure to the industry set him on a security career that has spanned three continents – the U.S., South America and Europe — and companies including Equifax, Nokia and Blackstone, where he currently serves as Chief Security Officer.

In that role Fletcher is responsible for both cybersecurity and physical security; oversees a team that advises Blackstone’s portfolio companies; manages investments in early stage cybersecurity companies; and co-heads the Miami office. 

This year, he also served on the distinguished panel of judges for CISO Connect’s CISOs Top 100 CISOs (C100) award.

Exceptional Chief Information Security Officers, in Fletcher’s view, need some level of technical proficiency because that facilitates their ability to solve problems in a dynamic threat landscape. 

Another desirable trait is balance.

“Executive teams are probably dealing with small fires all day long, so I tend to only cry wolf when I see the wolf,” Fletcher said. “I want to be measured in my response to a potential incident, and educate them that there’s a process for escalation in place.”

A good CISO will promote transparency to foster trust among key stakeholders and the people who actually get the job done, he added.

“Oftentimes, security can’t really do a lot by itself, especially in the modern infrastructure world of cloud, DevOps and distributed responsibilities,” Fletcher said.

“Security leaders are influencers, and you have to have the types of skills that bring people to the table to discuss what’s important. Then you influence them to put security work at or near the top of their priority list for the good of the organization.”

Security leaders need to be humble, he said, because attackers outnumber them and have only one mission – to attack. “Things change really fast,” he said. “If you think you’ve covered everything and that there’s nothing left for you to learn, you’re just wrong.”

Lastly, Fletcher said, top CISOs have to be willing to share what they’ve learned.

“Many CISOs today started their careers when security wasn’t even a thing,” he said. “But now, we are in a position to teach concepts of risk management and security leadership to a lot of people. Security is everyone’s responsibility. So you have to be a teacher and an educator and a consensus builder in order to bring people along for the program.”

Security leaders aren’t competing against each other, even if their companies are, Fletcher noted. They may even be co-dependent, he said.

“If you were in the financial services industry and it was attacked, why wouldn’t you share information? Giving back to the security community in that way is part of your responsibility.”

As the CISO’s role continues to evolve, security leaders have become the de facto landing place for a lot of technology risk questions that not many others in the organization can answer – for example, with regard to artificial intelligence and third party cyber risk, he said. 

“Thinking about it more holistically as a technology risk officer or a technology risk executive is certainly something that I’ve been hearing about recently,” he said.

Additionally, more and more CISOs are taking on physical security because of its convergence with cybersecurity.

Having a cyber team that monitors information on physical security risks and then mobilizes the relevant teams to prevent damage or loss is becoming a more common option right now.”

Fletcher hopes vendors will leverage AI to improve the security tools organizations are already using. And he thinks this may be the year that Identity Governance / Threat Detection and Response breaks through as perhaps the most important layer of security.

“I think that will be as much a focus in the next 10 years as regular endpoint activity was in the previous 10 years,” he said.

Fletcher is a staunch advocate of what he calls “agile cyber defense.”

The idea is to become aware of the “unknown unknown” as quickly as possible; determine whether it is relevant to the organization and if so, assess the potential impact; and finally, conclude whether prevention is available and implementable, and if not, decide  how to implement detection and response until it is.

“Becoming really fluent at that agile cyber defense methodology is something that I think everybody really needs to focus on,” he said.

He also advocates more frequent testing of controls.

“We need automated testing, continuous red teaming of some kind,” he said. “I need to know that my controls are working effectively, but I also need to know that they’re deployed comprehensively.”

Fletcher expects software as a service platforms where companies store confidential data to become major targets. “Improving SaaS security is something we have a limited amount of time to figure out,” he said.

With authorities requiring more accountability of CISOs, security leaders are going to be held to a higher level of professionalism, including documentation, Fletcher said.

Lately, Fletcher has been on a longevity science journey, learning how to extend health span in the context of lifespan through better diet and exercise.

He tries to play golf once a week, and recently bought a CAROL bike that uses AI for training. He likes to travel with his wife and two young children, and meditates every night.

“I’m usually asleep long before the meditation ends, which I think is a good thing,” Fletcher said with a laugh.

The post CISO Spotlight: Adam Fletcher, Blackstone Chief Security Officer appeared first on Security Current.

When young cybersecurity practitioners ask Marcos Marrero for advice, he turns the tables and asks them why they want to get into the field.

“The reason I ask is because if you get into it for the wrong reasons, you’re going to burn out and leave,” said Marrero, the Chief Information Security Officer at H.I.G. Capital and a member of the Esteemed Board of Judges for CISOs Connect’s 2023 Top 100 CISOs (C100) awards.

“You have to have an innate passion for either technology or cyber in order to really be able to stick with this as a career, let alone be successful in it,” he said. “So do not do it just because of all the hype around it, or because you’ve read or heard about the compensation in the field. You have to do it for the right reasons, and in doing so, you’ll reap the benefits.”

Marrero got into cyber while working at a help desk in Miami for the private banking arm of Lloyds Banking Group.

The Federal Reserve had instructed the company to hire an information security officer, and Marrero received the ticket to set up a computer for the company’s new information security officer. Security intrigued him, so he asked for advice on how to break into the field.

Several months later, the new infosec officer brought him on to his team, promising to teach him on the job.

“I came in as an information security analyst and rose through the ranks to where I am today,” Marrero said. He’s spent most of his two-decade career in financial services.

The two traits a successful CISO must possess are knowledge of the industry, and a dedication to leading and serving others by example, Marrero said.

His parents instilled in him a commitment to service leadership from an early age, so giving back has figured centrally in his professional life, he said.

“Ever since I can remember, I’ve always been one to help, always been one to serve others, to mentor, to lead,” Marrero said. “From a career perspective, then, what I look for are individuals who reflect that same type of character. Individuals who do not just see it as a job but have an innate passion for the subject matter and the industry.

“This passion is crucial because that is the only way that you really are going to contribute positively toward the industry, and at the same time reap the benefits of it in your own professional career. Giving back demonstrates your passion for it.”

Marrero mentors informally, and in recent years he has also been teaching cybersecurity with Microsoft TEALS, a philanthropic program that promotes computer science studies in rural and low-income community high schools.

“I’ve seen not just the impact that it has on the individual or the child itself, but the impact it has for the family, because you are now changing generationally the direction of that family’s life by serving as a role model to siblings, cousins and offspring, and significantly augmenting the family income,” he said.

“I came from a low-income background in where my parents were working “24/7” just to keep things afloat. And I have a lot of childhood friends who unfortunately went down the wrong path in life because they did not have access to the right opportunities or didn’t have guidance from a leader or from parents or from some sort of a mentor to help guide them. So, I identify with it very, very closely because I see myself in those kids 30 years ago. All it takes is that one break.”

Marrero sees the CISO’s stature continuously elevating within organizations as protecting information becomes ever more critical in an increasingly digitized world. At the same time, he said, “it is also up to the CISO to demonstrate value within the organization by contributing to the bottom line through risk reduction.”

Fear, uncertainty, and doubt over new accountability regulations are dogging the CISO community, but Marrero thinks that’s an area “that is blown out of proportion.”

“If you do what you have to do, you’ve documented, you’ve communicated, you’ve done all you can, you’ve washed your hands at that point,” he said. “If action does not want to be taken, then action does not want to be taken. But if you have made folks aware of the consequences of inaction, you cannot be held liable either legally or regulatory-wise. You have done the best that you can. Just make sure you document it.”

A top challenge today is the same challenge that plagued cybersecurity chiefs 10 years ago, Marrero said.

“It’s about positively influencing within the organization, getting people on your side to do the things that you need them to do or not do to keep the organization safe,” he said. “Security is everyone’s responsibility. It is not just the CISO’s or their security team’s. No one person or department can successfully do that.”

In his scarce spare time, Marrero likes to catch up with family and friends, take care of home repairs, and go scuba diving in his south Florida home base and the Bahamas.

“Technology is my hobby, but scuba diving is one non-tech hobby that I like,” he said.

The post CISO Spotlight: Marcos Marrero, H.I.G. Capital CISO appeared first on Security Current.