Helen Patton, CISO for the Security Business Group at Cisco, talks about running security in a way where organizations can respond to and recover from threats, and why it’s vital for CISOs to be able to “talk about security things in non-security ways with non-security people.” Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: Can you talk a little bit about your background and how you got into cybersecurity?
Helen Patton: I've been in cybersecurity probably since the late 1990s, early 2000s. I grew up in the 70s and 80s. That's long enough ago that computers didn't even register for me as somebody growing up. My life and my career has been a series of accidents, really. I didn't know what I wanted to do when I grew up. And so when I was younger, I just tried everything. And in doing that, I found myself moving from Australia to the United States. And I did that in the 90s. And then I was in Ohio, and I was working around, just trying to work out how to work, I didn't have a degree at that point. And I ended up working for an organization as a membership assistant. And they were in the middle of doing a conversion of their very old technology to the newfangled Windows 95 network. And the company that was brought in to consult on that conversion ended up hiring me. So that was sort of an accident. And it was a happy accident. So I generally got into IT in the early 90s, and I spent the 90s doing networking and help desks and all of that kind of stuff. It was in the 90s that we started seeing a whole bunch of security worms and viruses and other things pop up. And then there was some stuff that happened over early 2000, like the Y2K issue, like power outages, like some major viruses that really knocked everybody about. And my boss at the time, who was the CIO said, "We need somebody to write a security plan and a business continuity plan. And Helen, you're it." So I was sort of volun-told to get into it initially. And I left there and went to JPMorgan. I was hired on to do disaster recovery and business continuity planning, and there was a reorganization pretty quickly, so I found myself now being responsible also for some security stuff as well as things like identity and access management. So I was 10 years at JPMorgan and I worked my way around in different roles while I was there for 10 years. I left there, and at this point, I had a daughter who was in middle school who didn't really appreciate me traveling as much as I was traveling for this international company, and I was looking around for something local and the CISO role at the Ohio State University came open. And I actually hadn't been a CISO before, I didn't really think I was completely qualified for it. And yet I applied and they offered me the job. So I got the job, and I learned a lot working as a CISO in higher ed because it was like running a small city. So all the issues of hospitals and PCI and retail and everything, is all under this one umbrella. So I learned a lot. So I was there for eight years. And I was invited to apply for a role at Cisco, which I took. So I've been sort of intentional about staying on top of learning about things, understanding where the trends are, very intentional about networking so that you get to know when things are popping up and when things are available. I got my CISO role at Ohio State because of someone who used to work with me at JPMorgan. So I did all of those things, but I really didn't have a plan of where I wanted to be. I never thought I wanted to be a CISO until the role came open and that was where I was at. So I was intentional about learning and growing myself, but the actual roles I fell into were just happy accidents.
“You've got to be able to see it end to end, in order to be able to protect it end to end.”
Lindsey O’Donnell-Welch: Were there any skillsets or moments that defined or shaped your career before you eventually went down that CISO track?
Helen Patton: So I've always been wired to think about process and to think about the how and why we do things. And certainly in business continuity, disaster recovery planning, that plays a lot, because you get into the questions of why this business unit or this function, and not this other function? Why is this more important than that? How do you quantify that something is more important than something else? And then tactically, approaching things like, okay, let's say we want to recover payroll, well, you've got to understand the end to end process of payroll, everybody who touches it, all the companies external and internal that have a role to play in deciding what to pay someone, how to pay somebody, when to pay somebody, all of those kinds of things. And you've got to be able to see it end to end, in order to be able to protect it end to end. And having that sort of high level view of process really served me very well from a security perspective as well. So we talk in security about defense in depth, which means there is not one singular control that you can rely on to guarantee you protection or guarantee you resilience. So being able to sort of observe the entire environment, and all the layers of how things work, and then all the layers of where controls might be applied, was a super useful skill to have. And I can apply those skills regardless of the technology; I still have to understand the technology in order to intelligently apply those things. But I don't have to get completely deep in the technology in order to be effective in those areas. That was one skill.
I think the other thing that came pretty easily to me - less easily to some other folks - is the ability to talk about security things in non-security ways with non-security people. And I think I started with this on the business continuity side, honestly, because you had to be able to talk to the business. So for example, we were doing a tabletop exercise way back in the day in a company, where we were talking to the business people, and we said, "what kind of technology do you use?" And they said, "Well, we use the help desk." I'm like, "Okay, why do you use the help desk?" "Because that's the number I call when I have a technology issue." As far as they were concerned, tech was the help desk. The fact that the help desk then handed it over to the networking team, or the server team, or the application team or whatever, just wasn't part of the business lexicon at all. So if I'd have shown up and said, "what kind of service support do you need?" They would have just said, "none," because it wasn't part of the way they thought. So being able to identify how people frame their world, and then being able to say, "and this is how security can help that frame," is a skill. And it's one you learn over time, you can't go to college and learn it.
Lindsey O’Donnell-Welch: What do you think is important for really cultivating security culture in businesses?
Helen Patton: I think when it comes to culture, you've got to start at the top, actually. So when I come in to do a new security program, one of the things I'm assessing very early on in my tenure is - it even starts in the interviewing processes - how does leadership think about security? I don't want leadership to be micromanaging the security program. That's my job, frankly, to make sure that the security program is working well, but knowing whether they even think about security, and if they do, how do they think about security, is a really important thing. And knowing that there's going to be leadership support for the security program is super important. So, certainly starting at the top. But the paradox of security is that you also need to have security advocacy and security enablement in every frontline organization. So, you can put processes in place that encourage people to do things in a secure way. And that has to be part of it as well. But at the end of the day, there is always someone who is in a position to make a risk decision, that is a security risk decision, based on their job. And if you haven't had a chance to get security into their thinking, they're not going to think in a secure way, they're not going to act in a secure way. So you've got to have a security program that's about the security awareness - I'm not going to say training, because I'm not talking about training people about how to be secure with technology, although that can be part of it - But you need to have an awareness program that makes people consider security as they're doing whatever it is that they do. You need executive support, to have the resources to make those things happen. You need the leadership to be talking in ways that enable security advocacy, regardless of what the topic is that they're talking about. You need all of that at the top, and you need the resources to be able to reach out to people where they are. So especially if you have a very small security team or a very small group of people who are doing awareness, it's really hard to scale. So you've got to almost crowdsource security advocacy within an organization, because otherwise you can't reach people where you need to get them.
“There's a tendency in the industry to think if you've got bigger companies, and more money, that you can make that culture change faster. And I actually find the reverse is true.”
Lindsey O’Donnell-Welch: Right. And to your point about being able to scale out, do you find that there's a different timeline for different organizations, depending on the sector or otherwise, in building up that security culture?
Helen Patton: I have a mentor who once said to me - and I sort of agree with this statement - that as long as it takes to build a culture, it takes that long to change it. So if you go into an organization that's a startup, and you're like there on the ground floor, you can build that culture right from the beginning. If you're going into an organization that's 150 years old, there's 150 years old worth of culture that you're going to have to try and tweak. And that can take more time. So there's a tendency in the industry to think if you've got bigger companies, and more money, that you can make that culture change faster. And I actually find the reverse is true; smaller companies, mid-sized companies, tend to have culture fluxes, they're more susceptible to being influenced in culture change, than longer serving organizations. It can take a really long time. When I moved to Ohio State as a CISO, I thought I'd be there about three years. And I was there for eight. And one of the reasons was that I really felt like, although I had stood up some technology programs, and those kinds of things, that cultural aspect hadn't been done in the three years. And I really enjoyed working in higher ed and at Ohio State. And that was one of the reasons I stayed as long as I did. But one of the reasons was also that we needed to make some cultural changes. The other thing that happens is, we have companies that are highly regulated, and they tell themselves a story that they're really security aware, because they're regulated. And I find that organizations that think of security through the lens of compliance are some of the harder cultures to change. And you need to change that thinking, that security isn't a compliance issue. Security is a risk issue. And so how you respond to security incidents, how you respond to security questions, changes depending on which lens you're looking through. And if you go into an organization that is thinking it's secure because it's compliant, that's almost a harder thing, it's like a bad habit you've got to undo, as opposed to a good habit that you're trying to foster. You've got to undo the bad habit first, before you can do the work of fostering the good habit. So yeah, it can take some time for sure.
Lindsey O’Donnell-Welch: How would those conversations go when you're talking to a company that is so focused maybe on compliance or just set in their own ways? How do you overcome that challenge?
Helen Patton: You can't go in and tell somebody to be more risk aware, and more of a security advocate, you've got to show them that there are benefits to doing it. So when it comes to employee awareness, and education, we have a tendency to throw compliance training at them that says, "This is how you report an incident. And you're not click on things. And this is the compliance thing." What tends to be more successful and some of the research data sort of bears this out, is that if you go in, and you talk to them about how to use technology to protect their family, how does being secure at home help them? They bring those habits with them into the office, as well. So, trying to understand what they care about, and how security can help them enable what they care about, whether that's preventing their kids from being bullied online to how do you make more money as an organization in a revenue sense, while you're going through mergers and acquisitions, it's still, what do they care about the most and how to security enable those things they care about? Again, I can't just go and tell them, I have to go and show them, that this is something to do. So, we can talk about giving developers code scanning tools, and that's great. But if that's all I did, that wouldn't build the advocacy. If I can show them that by doing these scanning tools, they've got less work to do later in terms of fixing things in production, then they're going to self motivate to scan. And again, it takes a lot of time to do that, it takes a lot of one-on-one conversations with individual developers and individual engineering teams and individual finance teams. But that's just the work that has to be done.
“But there is definitely pressure on security leadership to be able to understand the business drivers and to be able to partner with business leadership in an organization and talk the language of the business and align the security program to business objectives, as opposed to technology objectives.”
Lindsey O’Donnell-Welch: I'd imagine there's a lot of different moving parts there.
Helen Patton: It happens over time, like the security team that's trying to do this has to be trusted. So they can't be buried down in the bowels of the technology organization, because they're seen as too operational. So you've got to have the right level of team with the right kind of skillsets on those teams. And those people have to be seen as sort of trusted advisors, and partners, not service providers, but partners into the other areas of the business. And that can take some change too make that happen.
Lindsey O’Donnell-Welch: How have you seen the job of CISO evolve over time, either in the responsibilities themselves, or how they're perceived by others within the organization?
Helen Patton: It definitely has evolved. It came out of IT first and it was seen as a subset of IT, it's still seen as a subset of IT in a lot of organizations, and it's not uncommon to see the CISO still report to the CIO or the CTO. But there is definitely pressure on security leadership to be able to understand the business drivers and to be able to partner with business leadership in an organization and talk the language of the business and align the security program to business objectives, as opposed to technology objectives. Having said all of that, security leaders are often not included in the very exclusive club of senior leaders. And then senior leaders get frustrated that CISOs don't know how to talk their language. So we still need senior leaders and board members to invite and encourage security leadership to come up into the leadership team. It doesn't have to be a formal reporting line even, but just be included in strategy meetings included in planning meetings, to talk about business outcomes, and be in the room when those things are being talked about. So that they can then talk about their security program and align their security program the right way. So we've made some steps in terms of maturity, but we've still got a long way to go. And we should expect that senior leaders learn more about security too. So right now we're still at this phase where it's like the CISO needs to learn more about the business, the CISO needs to be able to talk in business terms. Well, I'm sorry. But if you're the CEO of a company these days, you are a technology company, regardless of the industry you're in. And you have risks associated with that technology. So I don't know how you can be a senior leader of any organization, and not expect to be expected to know basic security things. And yet, we're in a situation right now, where there is plenty of company leadership out there where all they know is how to turn on their cell phone. And they don't know anything else. And how are they meant to have an intelligent conversation about security risk with the security leader if they don't know that? So we need to get senior leadership educated on how to think about systemic security risk, and we're not quite there yet. That has to happen too.
“The question is, are we building security programs? And are we running security in such a way that we can respond to and recover from those, whatever the threat is?”
Lindsey O’Donnell-Welch: Do you have any top-of-mind security concerns?
Helen Patton: There's a lot of security people that will talk about threats, and there's always going to be a threat. If it's not ransomware, it's going to be something else. The question is, are we building security programs? And are we running security in such a way that we can respond to and recover from those, whatever the threat is? So we can talk about artificial intelligence or quantum or this or that other thing and sort of emerging technologies that are going to change the way we work. But for me, we're still not doing the basics very well. So we're certainly having trouble with asset management, for example, which isn't a security thing, it's an IT thing, but if we don't know what assets we have, it's really hard to secure them. And it's not about really, the technology assets, so much as it is where is our data? Our data could be on a laptop, it could be on a server in our data center, it could be in a cloud service provider, it could be in a third party, or a fourth party or a fifth party, and we are responsible for that data. So asset management in terms of knowing where your data is, and being able to ensure that those locations are secure, is really problematic for everyone.
That's one thing. I think things like vulnerability management then become that much more difficult, because you don't know where you're vulnerable if you don't know where your data is. And so we've still got to work through some of those things. I think identity is still a big problem for a lot of organizations. And that is everything from how do we onboard and manage and offboard employees or customers or vendors, as they're getting access to our systems. But it's also things like, do they have the right kind of access at the right place in the right time, in such a way that they can do their job, security is not getting in the way of the way they work, but also that the access they have is appropriate for their job, and appropriate for the kind of data that they're working on. There's so many variables in terms of what is appropriate. It's not just whether Helen is an employee of a company, it's what application, what kind of data, what time of day, what location, like all of those things are playing into whether or not access should be granted. And it's really super complicated. So identity is still a problem for us. So forget all the newfangled whatever products you're going to see on the vendor floor. Vulnerability management, asset management, identity management, those are things we still haven't solved for properly yet.