Because technology changes, cybersecurity threats change, which means cybersecurity practitioners must keep moving to stay on top of their game.
Because technology changes, cybersecurity threats change, which means cybersecurity practitioners must keep moving to stay on top of their game. To find out about what one expert thinks are the top 10 skills chief information security officers will need in 2024, going beyond the technology, the Federal Drive with Tom Temin spoke with the Director of the CERT division of the Software Engineering Institute, Greg Touhill.
Interview Transcript:
Tom Temin So you’ve outlined ten skills for CISOs in the coming year. And Lord knows with artificial intelligence and better fishing and yada yada yada, things are getting worse. But these are not necessarily technology skills, are they?
Greg Touhill No, frankly, senior executives expect the chief information security officer to act as a senior business executive first and the technologists second. So, making sure that the chief information security officer is working as a senior business executive and translating technology into the language of business is a key and essential skill.
Tom Temin All right. But they say that of the CIO too. So how do they differ?
Greg Touhill Well, the focus of the CIO and the CISO or I pronounce it CISO. They’re intertwined. So, both of them have to be acting as senior business leaders when it comes to the chief information security officer. The language of the business is centered on risk, driving the business value, profit and loss, reputation, and growth. So, it’s the CIO, but the focus is on capability for the CIO and for the CISO, it centers on risk.
Tom Temin Sure. And getting to your list, number one though is master AI before it masters you. And this is something Congress is grappling with. Members of Congress think they need to regulate it, but they don’t understand it. Agencies are figuring out how to inculcate it for the Chief Information Security Officer. Explain more about how they can master AI before it masters them.
Greg Touhill Well, you know, here at Carnegie Mellon, we have some of the world’s leading experts on artificial intelligence engineering. Folks are actually building out the different capabilities. Even the Army has put their AI innovation center here co-located with Carnegie Mellon. But when you take a look at the rapid advance of capabilities in artificial intelligence, generative AI, that’s really put AI on the top of the map in 2023, replacing zero trust as the buzz word du jour in a lot of places, but understanding the different flavors of AI and how to secure your data in that environment is critically important for CISOs today and into the future. A great example is with generative AI. What do you do if somebody from within your organization puts sensitive information into the prompt for a generative AI causing a spillage, perhaps of personally identifiable information, classified information, intellectual property, knowing ahead of time how to deal with that is important, but even better is how to prevent it. How to educate your workforce. Understanding your data. Setting up the labels so that folks know. Don’t put this into a generative AI prompt, because once it goes in, it’ll never come out.
Tom Temin Yeah, I understand prompt training is emerging as a field of endeavor for people to understand, because, you know, you might need a four-page text prompt to get what you want. And at the same time, as you say, you can’t put in sensitive information or something that might invoke it.
Greg Touhill Right. And then further, with a broader sense of AI writ large, if you’re going to be entering a contract with an AI company and using some of their models and the data that those models are consuming. Understanding where that data came from, whether it is ethically sourced, do the companies have the right to use that data? All of that becomes very important, particularly as we see, for example, the European Union has just put together an artificial intelligence act. It comes with fines. If you are not using data that you have the rights to use. So, there’s a lot of questions out there that the CISOs need to invest their knowledge into so they can master AI before it masters them.
Tom Temin We are speaking with Greg Touhill. He is director of the CERT division of the Software Engineering Institute at Carnegie Mellon University. Earlier you mentioned risk and on your list is manage risk using advanced metrics and risk quantification. I think that also though relates to that idea of improving communications with the board in the C-suite, because they know risk is everywhere they look. Maybe the chief information security officer can advise them on. A risk management approach because you can’t eliminate all risk in this life.
Greg Touhill Right. And one thing I learned as a combat leader in the military is those who try to manage risk to zero will always end up losing, being disappointed and broke. So, you know, as you take a look at risk management, and we teach a lot of great courses here at Carnegie Mellon for executives and CISOs and, you know, all types of students. We reinforce the fact that as you are looking at risk, you need to be able to actually measure outcomes. And evidence trumps anecdotes, is what I put in the article. But as you are as a CISO trying to articulate that risk, you need to do so in terms of the language of business. You need to be discussing what the risk is to the value of the business. How does it affect the profit and loss status of the company? Being able to quantify and qualify reputational risk, showing where growth could be impeded or we’re going to lose customers, investors, our trajectory is going to be adversely affected in this particular manner. But being able to quantify and qualify those risks is part of the research that we are doing here at the Software Engineering Institute and sharing with our government and military partners. And more information is available at sei.cmu.edu, our website, where we post a lot of our releasable information.
Tom Temin And the better you can rank and quantify the risk, then the better you can create a reasonable budget and a way to operate the CSO operation so that you can get at the most important risks and leverage your money most effectively. Fair to say?
Greg Touhill Absolutely. And then further, you’re going to be put in a better position to demonstrate your return on investment when you have the data to back it up.
Tom Temin What about mastering the art of negotiation? Who do CISOs need to negotiate with?
Greg Touhill The CISOs need to negotiate up, down, across and out. So, it’s really kind of a three-dimensional picture. As a CISO you need to be able to we’ll start with down as, as you were trying to build out your budget and build out your programs, you need to make sure you have the right team in place. And the team is all, synchronized well, with you, as you were, looking to promote your programs like the user education and making sure that folks are following due care and due diligence across the entire organization. You need to be able to have the negotiation skills to convince folks that these are the right things to do. It’s more than just to check the box. It’s, really not just a security team responsibility to protect the organization, but the whole team. Further, you need to be able to convince folks up the chain, as well as your senior peers, to make those investments in cybersecurity, to protect the business and to facilitate its growth and opportunities. And then finally, you need to be working with the ecosystem of partners that you have, those third-party providers where you’re sharing some of your data and having them be the custodians of your data. You need to make sure that you have those solid relationships to get the most value for the organization with the partners that you, form. So, I view it as a three-dimensional relationship that you’re going to need to be able to maintain in all aspects of the CISO job, up, down, across and out.
Tom Temin Yeah. And that idea of negotiating relates to one of your point, which is thinking beyond enterprise IT to the operational control systems, automated manufacturing platforms, all of that stuff, because then you’re dealing with a whole different set of people and different operations within the organization from the people that operate the regular enterprise, IT and all the users with their smartphones.
Greg Touhill Yeah, absolutely. And as you take a look at all the different constituencies that CISO operates with and serves, they all speak a different language. So, the CISO needs to be able to master the languages of the different constituencies that are out there. And it’s really important as we take a look at operational technology, manufacturing technologies, even third-party providers, that you are sharing corporate information and data with. You know, those third-party folks that are custodians of your data are an important part of your enterprise. So being able to speak the language with each one of the constituencies that you work with and serve is critically important for organizational success.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED