Nmedia - Fotolia
Published: 01 Dec 2016
Tim Callahan is the senior vice president of global security and CISO at Aflac Inc. -- an insurance provider based in Columbus, Ga. -- whose iconic white duck has successfully branded the Fortune 500 company in the U.S. and Japan. The Aflac CISO is in charge of the global security program, including all security operations, IT compliance and risk management.
He has held several prominent leadership roles in financial services. Prior to Aflac, as senior vice president of enterprise business continuity and information assurance at SunTrust Banks Inc., Callahan was responsible for leading the risk management team and integrating multiple information security functions to provide a unified approach to threat and vulnerability management, mitigation strategies and incident response. He also served as first vice president and CISO at People's United Bank.
Prior to his work in the private sector, Callahan was a military professional for 23 years, ultimately serving a command risk management function as a program manager at a United States Air Force Major Command.
Callahan has chaired numerous conferences, including the IT Governance, Risk and Compliance Summit. This year, the Aflac CISO became the inaugural board chair of the National Technology Security Coalition (NTSC), a nonprofit organization formed in January by the Technology Association of Georgia. The coalition's mission is to further CISO development and build awareness of information security policies and legislation.
What has led to your involvement in the National Technology Security Coalition, and what are your priorities as chairman of the board?
Tim Callahanvice president of global security and CISO, Aflac
Tim Callahan: I think the major role of National Technology Security Coalition is to be seen as an honest broker and partner in helping to educate legislatures and policymaking arms of the government. To gain [that] level of trust and respect, NTSC must remain nonpartisan. As we build the coalition, I hope to ensure that all board members and sponsors stay aligned to the overriding goal. I think we can hold events that promote these goals and that also help educate CISOs on how they can be more impactful in public policy decisions that are good for America and good for our business climate. We must always seek to serve the larger good and protect the consumer.
How have you seen the role of the CISO evolve in recent years?
Callahan: The CISO has evolved from a technical security role to that of a corporate executive with a risk management focus. Due to the emerging nature of the cyberthreat, the CISO has to know more about intelligence, information sharing, working with government and private industry counterparts and how to tailor the security program to further the company's business. Security is no longer an IT issue. It is a business imperative, especially in industries where you have clients' private information. The CISO will continue to evolve in the aspect of business partners and will be relied on more to ensure the investment in security is meeting business needs.
As the Aflac CISO, what do you find interests the board of directors the most? What do you think boards typically need to focus on to have a better understanding about cybersecurity in their role as corporate stewards?
Callahan: Each board member can be unique in what interests them the most. Some are interested in statistics about the number of attempts, while [others] are interested in the threat trend and how it affects the company. However, on a whole, they seem most interested in how we have identified the risk/threat to our environment. Are the measures we're taking to address the threats effective? Are we staying with or leading the industry? And do we have the right level of executive focus and support?
How has your background in risk management, particularly in the Air Force, informed your work in cybersecurity?
Callahan: The training and experience I gained in the Air Force, particularly in the role I had, has helped me recognize risk and almost instinctively classify the risk based on the severity or penalty if the risk is realized. By recognizing these aspects of risk, it helps me make more reasonable decisions about how we should address it. In a world where there are so many threats, one does not want to overemphasize one risk to the detriment of another. This should not be a guessing game, but be as conscious and prescribed as possible.
About the author:
Alan R. Earls is a Boston-based freelance writer focused on business and technology.
How CISOs can win influence with other executives
Why board-level cybersecurity experts are hard to find
How to communicate supply chain risks to the board