This post was originally published on this site
Insights from our new Advisory CISO, Helen Patton
If there’s anyone who’s been put through their paces in the security industry, it’s Helen Patton, our new Advisory Chief Information Security Officer (CISO). Helen has come to Cisco from The Ohio State University, where she served as CISO for approximately eight years. And before that she spent about 10 years as a security leader at JPMorgan Chase. She recently shared with me just how many different obstacles she had to overcome, and regulatory environments she had to deal with in these two very diverse – but equally challenging – settings.
Through it all, she’s become a respected security influencer, sharing her perspective through speaking engagements, media interviews, blog posts, and more. This experience and influence will be of great value in Helen’s new role. As a team of roughly five people, Advisory CISOs hold a unique position within Cisco. They serve as security evangelists who lend their expertise to many critical internal decisions, as well as take part in strategic discussions with customers, analysts, peers, media, and others to improve security for all.
I was lucky enough to connect with Helen to learn more about the life of a CISO and some of her plans for this new role.
Q: Welcome, Helen! First of all, why Cisco?
Thank you, Gene! As a security practitioner at JPMorgan Chase and then a CISO at Ohio State, I was able to make an impact on the security industry as a whole – networking with peers, participating in events, and making decisions that contribute to better security overall. I wanted to be able to continue that mission, and I knew Cisco would be a good fit for that. Cisco has a lot of influence in the industry, and as Advisory CISOs, we are in the center of those important conversations that can really make a difference.
Q: More broadly, why security?
I get that question often given how challenging security can be. In short, I’m a control freak. I like things to be trustworthy, and I believe that security done well leads to trust.
Q: How did your previous roles prepare you for this one?
Being a CISO at a large research university is not just about protecting educational data and kids in classrooms. It’s more like trying to do security for an entire city with all the industries that are within it. For example, at Ohio State, we had a hospital on campus, we had hotels, and we had an airport. All of this had to be taken into consideration from both a compliance and risk standpoint.
And at JPMorgan, we operated in 70 countries, often with conflicting security and privacy regulations. We were so highly regulated that there were auditors who had offices in our building. I’ve been faced with many interesting challenges during my career, and feel that I can help Cisco, its customers, and others navigate similar situations while enhancing the way we all approach security.
Q: What do you see as the top three challenges facing CISOs today?
The things that are challenging to CISOs now are the things that have always been challenging:
- Getting buy-in from the business, all the way from the boardroom to the end user.
- Technical debt.
- Ecosystem risk, meaning that we continue to have less and less control over our technology, particularly as more components move into the cloud.
While these challenges apply to most CISOs, of course each vertical comes with its own set of obstacles. For example, in higher education, faculty and researchers have a lot of autonomy over the technology they buy and implement on the university’s network. So the IT and security teams are left to deal with a plethora of disparate, disjointed solutions, which is very difficult to manage and secure. (As you know, a recent Cisco report said that well-integrated technology is key for security success.)
Q: Those are some serious challenges indeed. What types of skills do CISOs need to overcome them?
CISOs have to be both influencers and educators. If we’re going to be as effective as possible, we need to be on the leading edge of the strategy decisions being made in our organizations. But while we’re trying to convince people that security is important, that we need the right investments to do it well, and that we should be involved in every aspect of the business, we must also educate. Most executives do not have a background in security, so we need to inform them every step of the way about the types of risks we’re introducing with each decision we make.
Q: What role can Cisco play in helping to alleviate these burdens for CISOs?
From a technology perspective, I believe Cisco is moving in the right direction in terms of making security more simple. For example, when rolling out new solutions at Ohio State, I had to take usability into account not just for employees, but also students. When we deployed Cisco Secure Access by Duo for multi-factor authentication, the interface was easy to use, and we were able to customize it so that it was not too different from what our end users were used to seeing. It was also simple for our security team to implement and manage.
This is really where security should be heading. Seamless, cloud-based, and not overly complicated. But the reality is that many companies still have a lot of legacy technology, so vendors must keep that in mind as well. Through SecureX and a platform approach, Cisco is helping organizations embrace new concepts like zero trust, SASE, and XDR, but is doing so in a way that allows them to take incremental steps towards a future-looking, cloud-based environment while still leveraging previous investments.
Q: In the spirit of making security simple, but not simplistic, what else can we do to help with that?
Security has a reputation for being complex, and practitioners almost wear it as a badge of honor. But as technology becomes more accessible and easy to use, we have to apply that to security as well. We need to remind security practitioners that just because something is easy to use, it doesn’t mean that it’s not powerful and complex behind the scenes.
And for end users, we have to relate security to what’s most important to them. When we did security awareness training at Ohio State, we incorporated aspects of home security as well. For example, how do you protect your family from being hacked? How do you safeguard your kids from being bullied online? In having those conversations, the employees would then come to the office and apply the same types of thinking to their jobs.
Q: I love that. Especially now, where work and home are blended, shouldn’t we do everything we can to protect both?
Exactly. We have to make good digital citizens of people, beyond just our own employees. While we’re helping to connect more and more people and things to the Internet, we need to make sure we’re doing it securely. Once we give people access, what are they going to do with it? And will it be safe?
Q: You’re right. Connecting things is certainly good, but there’s a bigger responsibility that goes along with it. What are some things that CISOs can do to help protect society at large?
Code.org revealed that only 47% of U.S. public high schools teach any computer science courses at all. There’s a huge opportunity here for security leaders to go to their local schools and help educate students on what it means to be secure. Similarly, local governments are continuously getting hit with ransomware and the like, so there’s also an opportunity to meet with these organizations and offer security insight. Security roles can be all-consuming, but in the end, it will benefit us all if we can go beyond our daily jobs and use our skills in other areas where there’s a need.
Q: This is really powerful stuff, and we could probably go on all day. But I’ll leave you with a question that is top-of-mind right now for many CISOs. As people begin to return to the office, how can we make sure that things remain secure?
What worries me about the return to the office is not the technology, as we’ve seen what it can do, but the fact that people are going to change the way they work. This in turn will change the risk profile of the organization. CISOs will have to stay close to the various pieces of their business to understand how work behaviors, and therefore risks, have changed.
We look forward to working with Helen to further unearth what CISOs and their teams really need from Cisco, and to take the steps necessary to make it happen. Simplicity is key for effective security, and we continue to strive towards that goal as we assist customers with digital transformation.
More of Helen’s insights can be found on her blog and on social media (LinkedIn, Twitter). She will also be speaking about resilience at the RSA Conference next month.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels