WEBVTT 1 00:00:00.360 --> 00:00:02.070 Michael Novinson: Hello, this is Michael Novinson with 2 00:00:02.070 --> 00:00:05.280 Information Security Media Group. I'm joined today by 3 00:00:05.280 --> 00:00:08.280 Michael Owens. He is the business information security 4 00:00:08.280 --> 00:00:11.970 officer at Equifax. Good afternoon, Michael, how are you? 5 00:00:11.999 --> 00:00:13.049 Michael Owens: I'm well, thanks, Mike. 6 00:00:13.650 --> 00:00:15.750 Michael Novinson: Let's talk a little bit about leadership 7 00:00:15.750 --> 00:00:19.650 today. Want to get a sense of what are your biggest priorities 8 00:00:19.680 --> 00:00:22.020 as a cybersecurity leader in your organization? 9 00:00:22.680 --> 00:00:25.560 Michael Owens: I think the biggest aspect to cybersecurity 10 00:00:25.560 --> 00:00:29.760 leadership is empowering others and creating a cybersecurity 11 00:00:29.760 --> 00:00:32.130 culture throughout the organization. A lot of people 12 00:00:32.130 --> 00:00:35.550 talk about culture. But it truly is one of the hardest things to 13 00:00:35.550 --> 00:00:38.190 do to implement, but also one of the most rewarding things. 14 00:00:38.910 --> 00:00:43.020 Security has to be a process that everyone buys into. And it 15 00:00:43.020 --> 00:00:46.140 can be tough. And I think, really buying into changing the 16 00:00:46.140 --> 00:00:49.170 culture, infusing that culture into the organization - any 17 00:00:49.170 --> 00:00:52.200 organization - is the key to being a good cybersecurity 18 00:00:52.200 --> 00:00:55.710 leader. I think the other aspect is that within this profession, 19 00:00:55.710 --> 00:00:59.430 things are always changing. So being adaptable, having 20 00:00:59.430 --> 00:01:04.290 foresight, and ensuring that you are working throughout industry, 21 00:01:04.290 --> 00:01:07.200 not only in your business, but looking externally to see what 22 00:01:07.200 --> 00:01:09.600 things are going on, and being able to adapt to this. 23 00:01:09.000 --> 00:01:10.950 Michael Novinson: In terms of building that security culture, 24 00:01:10.950 --> 00:01:12.090 what have you found to be the most effective strategies or 25 00:01:12.090 --> 00:01:12.720 best practices to do that? 26 00:01:12.990 --> 00:01:15.450 Michael Owens: every company is different, we have to 27 00:01:15.720 --> 00:01:32.190 acknowledge that, I think. But when you're able to really get 28 00:01:32.190 --> 00:01:36.060 support from the executive leadership, this is something we 29 00:01:36.060 --> 00:01:38.670 need to have is key. The second thing, which I mentioned 30 00:01:38.670 --> 00:01:42.840 earlier, was consistency. It has to be something that is 31 00:01:42.840 --> 00:01:45.810 literally spread through every single part of the organization, 32 00:01:46.230 --> 00:01:49.770 no matter what type of industry you're in, empower everyone to 33 00:01:49.770 --> 00:01:53.880 feel like it's part of their job duty, it may not be in their job 34 00:01:53.880 --> 00:01:57.630 description, but it's part of their job to ensure that they 35 00:01:57.630 --> 00:01:59.280 help uphold the security of the company. 36 00:02:00.320 --> 00:02:01.460 Michael Novinson: What are some of the ways you've gone about 37 00:02:01.460 --> 00:02:03.890 doing that in terms of spreading security throughout the 38 00:02:04.250 --> 00:02:07.400 organization? How do you actually do that, from the perch 39 00:02:07.400 --> 00:02:08.030 of the CISO? 40 00:02:08.810 --> 00:02:11.990 Michael Owens: There's multiple to two different ways. There's 41 00:02:11.990 --> 00:02:18.080 the authoritarian strong old practice of tying it to the HR 42 00:02:18.080 --> 00:02:20.240 aspect. If you don't do this, therefore, they are 43 00:02:20.240 --> 00:02:24.230 repercussions because of it. I mentioned before the consistency 44 00:02:24.230 --> 00:02:27.800 perspective, so cybersecurity awareness training, and not only 45 00:02:27.800 --> 00:02:31.460 conducting the training, but also, again, building it into 46 00:02:31.460 --> 00:02:36.170 the organization itself. So testing responses for phishing, 47 00:02:36.170 --> 00:02:39.710 for example, and making sure that something that's done on a 48 00:02:39.710 --> 00:02:43.310 regular basis. I know this is done, but also reported out. I 49 00:02:43.310 --> 00:02:45.770 found it helpful to take those results on a monthly or 50 00:02:45.770 --> 00:02:49.100 quarterly basis, and share them back to the employees. So they 51 00:02:49.100 --> 00:02:52.880 can see for themselves what's going on. A cybersecurity 52 00:02:52.880 --> 00:02:56.420 awareness training program is obviously, it's part of what 53 00:02:56.420 --> 00:02:59.990 most companies do as well. And I think the last thing is 54 00:02:59.990 --> 00:03:02.540 incentivizing people. And it kind of goes with empowering, 55 00:03:02.720 --> 00:03:05.990 but also incentivize them to where, as we do see better 56 00:03:05.990 --> 00:03:09.950 results, there are there's some sort of incentives that go along 57 00:03:09.950 --> 00:03:13.280 with it, potentially, bonuses, which everyone seems to like, 58 00:03:13.790 --> 00:03:15.140 and various other things. 59 00:03:16.280 --> 00:03:18.200 Michael Novinson: So, as a cybersecurity leader, what are 60 00:03:18.200 --> 00:03:20.270 some of the most valuable skills you've drawn upon? 61 00:03:22.010 --> 00:03:24.260 Michael Owens: I think that's changed over the years. I think 62 00:03:24.290 --> 00:03:30.860 I used to say, how technically astute someone was, or with my 63 00:03:30.860 --> 00:03:35.060 own background, being someone who grew up from the Help Desk, 64 00:03:35.210 --> 00:03:37.370 you know, into the wiring closet and routers, switches, 65 00:03:37.370 --> 00:03:41.090 firewalls, truly understanding how technology works, and then 66 00:03:41.090 --> 00:03:44.480 understanding the threat vectors, and ultimately how to 67 00:03:44.930 --> 00:03:49.670 mitigate those to growing into a global cybersecurity leader, 68 00:03:49.820 --> 00:03:56.090 where it's truly about risk, and how to add better value for the 69 00:03:56.090 --> 00:03:59.270 organization for the company. It's in the same kind of linear 70 00:03:59.270 --> 00:04:02.000 line. But I think at some point in time, you really start to 71 00:04:02.000 --> 00:04:04.490 focus as a security leader on the risk and how you can 72 00:04:04.700 --> 00:04:09.080 mitigate or transfer risk within the organization. And that's how 73 00:04:09.080 --> 00:04:13.700 you ultimately bring value. The underlying aspects of ensuring 74 00:04:13.700 --> 00:04:17.390 that you're doing the right things, technically is still 75 00:04:17.390 --> 00:04:20.570 just as important. But I think as we continue to evolve as an 76 00:04:20.570 --> 00:04:23.690 industry, as cybersecurity becomes top of mind for 77 00:04:23.690 --> 00:04:27.170 everyone, that it becomes more and more important that as 78 00:04:27.170 --> 00:04:31.130 cybersecurity leaders, we learn to talk more about the 79 00:04:31.130 --> 00:04:33.320 challenges we face and the opportunities from a business 80 00:04:33.320 --> 00:04:37.790 perspective in ensuring that that's understood across the 81 00:04:37.790 --> 00:04:38.510 organization. 82 00:04:39.720 --> 00:04:41.490 Michael Novinson: Very interesting. What are a few 83 00:04:41.490 --> 00:04:44.040 areas within the cybersecurity profession that you're 84 00:04:44.040 --> 00:04:45.450 particularly passionate about? 85 00:04:45.930 --> 00:04:49.440 Michael Owens: Myself personally? I would say it's 86 00:04:49.440 --> 00:04:54.120 where cybersecurity intersects with national security and 87 00:04:54.120 --> 00:04:59.160 geopolitical space. That's not the norm, does not have in many 88 00:04:59.220 --> 00:05:04.890 more professional, private companies, but I think it's 89 00:05:04.890 --> 00:05:08.730 vitally important as the world becomes more globalized, as many 90 00:05:08.730 --> 00:05:12.480 companies start to have either branch offices or suppliers and 91 00:05:12.480 --> 00:05:16.980 vendors that are in other countries and cybersecurity 92 00:05:16.980 --> 00:05:21.150 becomes more global threats, as we continue to see. I think it's 93 00:05:21.150 --> 00:05:24.690 really important that we look at it from that aspect. I'm a 94 00:05:24.690 --> 00:05:27.390 Marine Corps veteran, I joined the Marine Corps when I was very 95 00:05:27.390 --> 00:05:30.870 young. So that aspect of national security is still 96 00:05:30.870 --> 00:05:33.420 really important to me in understanding now kind of the 97 00:05:33.420 --> 00:05:36.840 intersect that we have with cybersecurity being national 98 00:05:36.840 --> 00:05:40.650 security and national security being part of cybersecurity is 99 00:05:40.650 --> 00:05:42.540 one of the areas where it really interests me. 100 00:05:42.990 --> 00:05:44.310 Michael Novinson: How did your time in the Marine Corps 101 00:05:44.310 --> 00:05:46.380 influenced your decision to go into cybersecurity? 102 00:05:48.330 --> 00:05:52.590 Michael Owens: Security, just from a standpoint of what we do 103 00:05:52.590 --> 00:05:56.160 in cybersecurity is we protect people, businesses, data 104 00:05:56.190 --> 00:05:59.520 information, not so much unlike what we would do in the 105 00:05:59.520 --> 00:06:03.390 military. Obviously, this is a much different setting. But I 106 00:06:03.390 --> 00:06:08.640 think it has instilled in me the discipline that it takes also, 107 00:06:08.850 --> 00:06:11.550 the ability to empower people, I mentioned that earlier. But in 108 00:06:11.550 --> 00:06:15.810 the Marine Corps, where there is a chain of command, if you will, 109 00:06:16.650 --> 00:06:20.670 you see that replicated, but also to push responsibilities 110 00:06:20.670 --> 00:06:23.880 down to those that are junior and understanding the teams, 111 00:06:24.090 --> 00:06:28.050 understanding threats, is very common, and then understand the 112 00:06:28.050 --> 00:06:31.440 landscape in which you operate. So there's a lot of these kind 113 00:06:31.440 --> 00:06:35.400 of larger thematic type things that we hear we talk about in 114 00:06:35.400 --> 00:06:40.260 the private sector, which is almost hand-in-hand with 115 00:06:40.500 --> 00:06:43.920 military terms or objectives; without the bombs and bullets. 116 00:06:46.350 --> 00:06:47.580 Michael Novinson: What do you consider your greatest 117 00:06:47.580 --> 00:06:49.950 accomplishments as a leader? And how are you successful? 118 00:06:51.510 --> 00:06:56.190 Michael Owens: Building people, building junior cybersecurity 119 00:06:56.190 --> 00:06:59.340 professionals, elevating them, giving them an opportunity to 120 00:06:59.340 --> 00:07:03.300 succeed, evaluating them, and helping to push them along and 121 00:07:03.840 --> 00:07:10.500 navigate and mentor. This is game of zeros and ones, if you 122 00:07:10.500 --> 00:07:13.650 will, but at the end of the day, it comes back down to people. So 123 00:07:13.680 --> 00:07:16.590 my accomplishment is the teams that I've been able to build, 124 00:07:16.620 --> 00:07:20.760 teams I have been able to lead. Outside of that, I would 125 00:07:20.760 --> 00:07:24.360 probably say, having an opportunity to go to Ukraine, 126 00:07:24.420 --> 00:07:27.540 and work with Ukrainian government about the challenge 127 00:07:27.540 --> 00:07:31.110 that they're facing, and have been facing. And again, 128 00:07:31.110 --> 00:07:35.580 highlight that aspect of how cybersecurity is an impact 129 00:07:35.580 --> 00:07:36.270 around the world. 130 00:07:37.080 --> 00:07:38.580 Michael Novinson: What was that experience like working with the 131 00:07:38.580 --> 00:07:40.980 Ukrainian government? How do you feel someone in your role was 132 00:07:40.980 --> 00:07:41.790 able to assist? 133 00:07:41.970 --> 00:07:45.600 Michael Owens: I think, several ways. I think, being able to 134 00:07:45.600 --> 00:07:49.740 highlight cybersecurity and a part of the world that may not 135 00:07:49.740 --> 00:07:54.210 be getting as much attention. So I was part of a delegation of 136 00:07:54.210 --> 00:07:56.910 like 16 cybersecurity members from around the world that took 137 00:07:56.910 --> 00:08:01.050 part, which was led by now Secretary of State Antony 138 00:08:01.050 --> 00:08:05.280 Blinken. So that was a great opportunity to travel as 139 00:08:05.310 --> 00:08:09.000 obviously, part of it going to a country such as Ukraine. I had 140 00:08:09.000 --> 00:08:12.930 never been there before. But just working with people and the 141 00:08:12.930 --> 00:08:15.810 acknowledgement of the challenges that we're facing, 142 00:08:15.810 --> 00:08:17.730 and things that we're seeing and understanding. There's things 143 00:08:17.730 --> 00:08:21.300 that we're seeing right here. In the U.S., the same challenges 144 00:08:21.300 --> 00:08:24.090 are happening around the world, even in countries that may not 145 00:08:24.090 --> 00:08:27.720 have the necessary budget, or resources that a company like 146 00:08:27.720 --> 00:08:32.520 America would have. So that alone kind of highlights my trip 147 00:08:32.520 --> 00:08:37.020 to really be able to take part in that and help to shape ... 148 00:08:37.050 --> 00:08:40.320 I'll not say shape another country's national security 149 00:08:40.320 --> 00:08:42.780 perspective, but at least add to it. 150 00:08:43.320 --> 00:08:45.150 Michael Novinson: Of course. What advice would you have for 151 00:08:45.150 --> 00:08:47.880 aspiring CISOs or those who have just entered the role? 152 00:08:49.920 --> 00:08:54.660 Michael Owens: Work hard, be adventurous. Take opportunities 153 00:08:54.660 --> 00:08:59.010 that come your way. One thing I think a lot of people fail to 154 00:08:59.010 --> 00:09:03.360 understand, we all joke about entry-level jobs, and they want 155 00:09:03.450 --> 00:09:06.750 eight years of experience, right? But it's various 156 00:09:06.750 --> 00:09:10.770 different types of experience. And when I look at hiring 157 00:09:10.800 --> 00:09:15.090 cybersecurity junior folks, there's intangibles that I look 158 00:09:15.090 --> 00:09:18.000 for. I think a lot of people kind of miss the idea of once 159 00:09:18.000 --> 00:09:21.810 you become a CISO, it's like you're a master of all of this. 160 00:09:22.050 --> 00:09:24.060 Well, hopefully, you're a master of putting really good people 161 00:09:24.060 --> 00:09:27.060 around you. And those people could be communications people, 162 00:09:27.060 --> 00:09:31.110 they could be really good technological people. They also 163 00:09:31.110 --> 00:09:35.610 could be people that are very good at organizing and Chief of 164 00:09:35.610 --> 00:09:39.690 Staff type people. So I think being an evaluator of good 165 00:09:39.690 --> 00:09:43.470 talent is part of it. And then I also say if they're just coming 166 00:09:43.470 --> 00:09:47.130 in, take every opportunity. Every role that you can have, is 167 00:09:47.130 --> 00:09:49.890 only going to make you better if you're if your aspiration is to 168 00:09:49.890 --> 00:09:52.800 lead an entire security organization, having some 169 00:09:52.800 --> 00:09:56.040 understanding in every facet of that because it is a very, very 170 00:09:56.250 --> 00:10:00.570 broad role and responsibility. I think it helps; the more 171 00:10:00.570 --> 00:10:02.370 experience you have in different areas. 172 00:10:03.770 --> 00:10:05.360 Michael Novinson: Finally, what's the valuation of 173 00:10:05.360 --> 00:10:07.670 collaboration among peers in a forum, like CyberEdBoard? 174 00:10:09.370 --> 00:10:13.360 Michael Owens: It cannot be duplicated. I think a lot of 175 00:10:13.360 --> 00:10:18.220 times it's understated. I think a lot of these occur somewhat 176 00:10:18.550 --> 00:10:22.330 naturally sometimes. But something like CyberEdBoard, 177 00:10:23.200 --> 00:10:27.250 when it gives you an opportunity to really kind of focus in on 178 00:10:27.250 --> 00:10:29.380 having that type of collaboration and engagement and 179 00:10:29.380 --> 00:10:33.520 interaction, I think is huge. Again, something that's done 180 00:10:33.520 --> 00:10:36.040 anyway, kind of in an informal type basis, but it's very ad 181 00:10:36.040 --> 00:10:39.070 hoc. And this gives you an opportunity to meet so many 182 00:10:39.070 --> 00:10:41.710 other people who undoubtedly are dealing with the same struggles, 183 00:10:41.710 --> 00:10:45.130 the same challenges that you have, and hopefully have had 184 00:10:45.130 --> 00:10:48.730 some successes and wins, and that you can, again, have that 185 00:10:48.730 --> 00:10:52.240 transfer of knowledge, that inner relationship that you can 186 00:10:52.240 --> 00:10:56.860 build, and not just at one time; that you can build over time and 187 00:10:56.860 --> 00:10:58.720 realize you have people are going through the same thing. 188 00:10:59.440 --> 00:11:01.930 And are looking for opportunity, just like you are. 189 00:11:02.590 --> 00:11:04.570 Michael Novinson: Of course, Michael, thank you so much for 190 00:11:04.570 --> 00:11:05.020 the time. 191 00:11:05.620 --> 00:11:06.550 Michael Owens: Appreciate it. Thank you. 192 00:11:06.850 --> 00:11:09.130 Michael Novinson: Very welcome. We've been speaking with Michael 193 00:11:09.130 --> 00:11:12.910 Owens. He is the business information security officer at 194 00:11:12.910 --> 00:11:16.300 Equifax. For Information Security Media Group, this is 195 00:11:16.300 --> 00:11:18.340 Michael Novinson. Have a nice day.