Cybersecurity the focus of executive conversation

Nov. 6, 2019 - Wendy Martin

Cybersecurity was the focus of a recent “Executive Conversation” hosted by the VCU School of Business. Over the course of two hours, a four-person panel discussed the role of cybersecurity solutions providers, how cybersecurity is evolving, why cybersecurity needs to be an executive-level priority, and creative approaches to hiring and training qualified security personnel.

Panelists represented key elements of cybersecurity ecosystem

Bobby Turnage, Jr., (B.S. ‘89/B), leader of the Sands Anderson PC Cybersecurity and Technology Practice Group , moderated the panel that included three other VCU School of Business alumni: Tom Casey (B.S. ’92), Mark Eggleston, CISSP, GSEC, CHPS (M.S.W. ‘98/BW; Cert ‘01/B), and Dan Han (B.S. ‘05/B; M.S. ‘11/B; M.B.A. ‘11/B).

Eggleston is vice president and chief information security and privacy officer with Health Partners Plans, while Han serves as chief information security officer with VCU.

The role of cybersecurity solutions providers

Assisting them are people like Casey, an account executive for GuidePoint Security. “All we do is security,” Casey explained. “There’s always a new threat. We spend hours asking our clients questions – Do you have government regulations? Do you work with third parties? Do you take credit cards? We learn about their customers and their business. Then we help develop a plan. It could be a technology or maybe a person or a process.”

The peril of labeling cybersecurity as a technology issue

Eggleston explained that the role of a chief security officer (CSO) continues to evolve. “I report in to my CIO [Chief Information Officer]. Two-thirds of us have that reporting relationship. But the peril of that is that it suggests cybersecurity is a technology issue when it’s not.

“When people ask me ‘How many people are in your security workforce?’ I tell them, ‘Everyone. Our entire workforce is in security.’ Thankfully, it’s becoming a boardroom discussion as well,” said Eggleston.

Turnage echoed that sentiment. “It’s becoming known that cybersecurity should have visibility at the highest levels of an organization – the board level and executive team. The CEO needs to say, ‘This is really important to us, and we're all going to be receiving training.'"

What needs protecting?

“It’s not just personal data that we need to protect,” explained Casey. “We also need to protect intellectual data so that countries like China don’t steal our technology. Intellectual property is what gives us the competitive edge and keeps us all having jobs.”

“Intellectual property is equally as important as employee data and customer data,” agreed Turnage. “Plus, if you have a third party’s information that’s been entrusted to you, you'll need to protect that information. Similarly, if you've entrusted your information to a third party, you'll need to have a business arrangement that outlines that party's data security obligations. That’s my goal – to help people think as broadly as possible about their scope of risk.”

“Security is not how it was five years ago,” explained Han. “There aren’t physical servers on the premises. Today it’s all in a cloud somewhere with third-party contracts with Amazon and Microsoft. Unless we are able to raise the bar for everyone involved in network connections and data transmission, we’re really not able to solve this issue. We need to make an attacker’s effort exceed the value of the data. That’s the goal.”

Finding qualified security personnel

The panel addressed the challenges of securing qualified security employees. “The three things you should be looking for are: a college education, certification and experience,” said Eggleston. “Having all three is perfect but two out of three can work in today’s market. So what you are really looking for is passion – people who want to develop a stronger community and have an insatiable thirst for knowledge.”

“Before this career, I was a psychotherapist. I like to fix things from an analytical perspective. Sometimes, when you are focused on teaching good security, the last thing you want is a technologist because they can speak in acronyms, and their teaching message is lost in translation. You now need people who know contracting and how to manage service providers.”

“We know there are problems identifying qualified talent,” said Han. “I know small- and medium-sized businesses can’t afford the most qualified security personnel.

“So we leverage our students with experiential learning experiences – have them help defend the small to medium businesses. Maybe something as simple as removing that default password on your Linksys router. Making students part of the pipeline is a way for us to ultimately raise the cybersecurity bar.”

Choosing a speed on the cybersecurity highway

Han shared a cybersecurity analogy. “Imagine a highway with three lanes. Technology is in the fast lane, in a Ferrari, doing 100 miles per hour. Laws and regulations are in the slow lane, in a horse-drawn buggy. Most organizations have to navigate that middle lane. If you go too fast, you run the risk of not being genuine. If you go too slow, you risk being left behind.

“Electronics are constantly collecting data and we don’t always know how it’s being used. A CSO cannot only look at information security but must also look at information use and privacy. We have to work closely with our legal counterparts to determine ‘How can we effectively use people’s information – maybe to benefit or sell them something – in a way that isn’t disingenuous?’”

Protecting “a city within a city”

Han described the immense challenges of being the CISO with Virginia Commonwealth University. “VCU is one of the largest employers in central Virginia. If you include our health systems campus, we have about 17,000 employees and a total of 50,000 people, including students. We also have a campus in Qatar. VCU is like a city within a city.

“You know VCU as an educational institution, but we also do other things. We conduct research, run retail operations and manage facilities.

“From a cybersecurity perspective, these are all different lines of business with different regulations that are faced with different threats. Everyday there is something new and exciting waiting for me at the office.”