The CISO position continues to evolve and mature, and perhaps no one has a better seat to observe these changes than Tammy Moskites.
Moskites, managing director of Accenture Security, spends much of her time advising other enterprises and their CISOs on ways to improve their infosec programs and practices. Prior to joining Accenture last fall, she spent several years in the CISO role at Home Depot and Time Warner Cable, and most recently served as both CIO and CISO at Venafi.
"When I joined Accenture, I thought this a better way to actually be able to help multiple organizations with bigger solutions to their problems rather than just a product solution," she said in a Q&A at RSA Conference 2018.
In this interview, Moskites discusses her new role and her observations about the changes and challenges facing people in the CISO position. She also discusses the cybersecurity workforce shortage, as well as her efforts to promote infosec careers to younger generations. Here is part one of the interview with Moskites.
Editor's note: This interview has been edited for clarity and length.
Do you see yourself as almost like a virtual CISO?
Moskites: I'm a trusted advisor. The great thing about being able to work at Accenture, especially in the security area, is because I'm not their CISO, but I am a CISO. And you don't ever wash that off you. You try to, but you can't. I've got that experience.
What makes it exciting is that when I go into customers, they're not just hearing some consultant telling you, 'Oh, you need to do this,' because they've been a consultant forever. I've been in rooms where I've actually sat there and listened to customers after they made deals or are talking through deals and I say to myself, 'That's not going work for them.'
That's where the trust comes in. They know my integrity, and they know that I'm not going to BS them, and I'm going to give them what they need and only what they need.
What are you hearing from CISOs lately? What are they struggling with? For example, there have been some discussions at RSA Conference this week about enterprises struggling with incident response.
Moskites: Incident response is always a challenge, and I think it's a maturity thing. We have so many different things coming at us, whether it's ransomware or even a zero-day. You can't plan for everything.
You have to make sure that, foundationally, when you're planning your incident response program, that you're testing it and that you're making sure that you know who to contact. And you have to keep it evergreen.
And what happens a lot of times is people say, 'Well, we built an incident response plan last year but three of the critical people on that plan are gone.' Who do you call at the bank? Well, Joe is gone, so who's the backup?
It's all of those things that go into the down cycle. Incident response is always a challenge. And, also, just trying to find people to do the work is hard. Hiring is another big challenge.
[RSA president] Rohit Ghai said during his keynote that we don't often hear a lot about cybersecurity wins in the media, for various reasons, but the infosec industry sees a lot of its failures in the press. Does that create a negative impression of the industry, and maybe on some level discourage people from entering the profession?
Moskites: You're looking at the day in the life of a CISO, or a day in the life of a security professional. But think about it -- you have the day in the life of a lawyer, and you have the day in the life of a doctor, and these are all professions that are challenging for people.
I think the reason we're struggling to fill jobs is because it's not brought to the young folks. We don't show them that it's actually something that they'll enjoy and something they'll be passionate about.
I'll go in and talk to kindergarteners; I'll sit on the floor and talk about computers and about bad guys and good guys and good girls and bad girls and how important computers are. And you use the same materials on adults [laughs].
But it's true; it's really working for them. I even work at the high school that I graduated from. I give out a scholarship of my own every year. I have them write a one-page essay about why you want to be in cybersecurity and I give it out every year. It's nice to be able to go in and get to talk on scholarship night and talk a little bit about my career.
What advice would you give students about the CISO position?
Moskites: The best thing is [that] I've always had that business focus. I understood business. That's our hat now.
The CISO is just not a technologist. We have to understand the business, we have to know how it aligns to the business, and we have to make sure that we understand compliance and cyber resiliency as a whole. And I think that that's what's really changed.
A lot of our CISOs that are successful now really find that business enablement piece and the true business risk tolerance and understand them. That is critical. The CISOs that aren't so successful are the ones that are still considered to be the office of no, and it becomes very problematic.
Obviously there's a lot of turnover with CISOs. Is the deck sometimes stacked against them?
Moskites: It is. I was moderating a CISO panel at another event a few weeks ago, and what we talked about is what really sucks for us as chief security officers is this: If the company gets breached, I'll probably lose my job even though I didn't have a lot to do with it, or anything to do with it in some cases because the business made a risk [assessment] decision to implement X, Y, and Z.
All I can tell you as the CISO is, here's your issue, but I can't accept the risk. I acknowledge that you accepted the risk. But what ends up happening in a breach is that we lose our jobs and then we become unemployable.
We were talking on the panel about malpractice insurance of sorts for CISOs. How do we pay our bills when we are washed up for something that we didn't have control over? We should have our own liability insurance. And it's that kind of challenge. It's a hard life.
In the last 20 years, before I joined Accenture specifically, but in 20 years, I have not gone to bed without either a pager, cellphone or my regular phone under my pillow -- even on vacation.
But the thing is that I chose to do that because I was learning, and I learned every day. And, as a CISO, if somebody's in that job even if they didn't have that title back then, it's important to be able to react and to be present.
Technologies have changed a lot, too. We have a lot more security automation and orchestration in play, and that helps.
Does the CISO role need to change? Do CISOs need to focus more on enabling business operations or should they have even greater control over the technical aspects of an enterprise?
Moskites: Yes, I think the role is changing. I think what you're seeing with our roles and responsibilities, as I said earlier, is that the business focus is critical.
I need to understand my lines of business, but I can't do it all by myself. You need strong security liaisons that align with the business and meet on a regular basis, sit in their staff meetings, understand their portfolio, understand the work that's coming through, and bring that back into the larger security organization. And, this way, you have a better grasp of what's going on, and you have that relationship with the business.
And, once again, it's important that they become trusted advisors. That way, we're proactively partnering and making sure security controls are being put in upfront.
Also, programmatically, I think it's important for the CISO not to report to the CIO. I think they're definitely peer roles, and they have to work in orchestration just like any other business role. And if you don't have them working all in orchestration, then you do get gaps, and you get that blind spot where the CISO is not getting enough face time [with upper management]. You need that fine balance.
Is everything going be perfect? Hell no. We have to think smarter, and we have to always try to be ahead of the game and know that somebody's still going to be ahead of us whether we like it or not.
But the main thing for CISOs is they need to build a good, strong foundation with a really good understanding of what their critical assets are and be able to make sure that they're at least protecting those and then build it out from there. We have too many things touching our network so, really, the most important piece is protecting your crown jewels.