Information Security

Defending the digital infrastructure

Grafvision - Fotolia

Manage Learn to apply best practices and optimize your operations.

High-stakes role of CISO: Scott Howitt, MGM Resorts International

Many organizations are making the CISO a peer to the CIO or taking the position out of IT altogether, says Howitt, who has held several technology and leadership positions.

The role of CISO can keep you up nights, but it has its lighter moments. Scott Howitt, senior vice president and CISO at MGM Resorts International in Las Vegas, likes to tell about the frantic call he got from an executive at one of his previous positions: Russian gangsters had broken into his machine and were threatening him. "I thought that was odd behavior for Russian cybercriminals as they are usually only after money," Howitt recalls. The reality turned out to be less frightening. The executive's son had installed spyware on his father's PC and would turn on the webcam to spy on him at work. Then he would make phone calls in a Russian accent and tell his father that he was watching him. "It was meant as a prank, but when my cyber team discovered the truth, the executive was a little embarrassed," Howitt said.

In his 26 years of experience, Howitt has held various technology and leadership positions. Prior to joining MGM Resorts International, Howitt was the vice president and CISO at JCPenney and director of information security at Alliance Data Systems. As a founding member of the advisory board for the Retail Cyber Intelligence Sharing Center (R-CISC), which is dedicated to public and private security information sharing, and as a member of the Nevada Commission on Homeland Security Cyber Security Committee, he shares his hard-won expertise with the wider industry.

How have you seen the role of CISO evolve in recent years, and what changes do you anticipate in the future?

Scott Howitt
Scott Howitt

Scott Howitt: The change that really strikes me is the elevation of the role of CISO. Ten years ago, we were buried in the infrastructure team and we were known as the 'security guy or gal.' Some forward-thinking companies had a CISO, but most did not. Now it is seen as a key role, and many companies are making the CISO a peer to the CIO or taking the position out of IT altogether. The CISO now has regular meetings with the audit committee and often the full board. With digital enablement and the internet of things, there are many new challenges that may not involve IT that still require CISO awareness.

In your career, what are some of the initiatives or accomplishments that you feel were most significant?

With digital enablement and the internet of things, there are many new challenges that may not involve IT that still require CISO awareness.
Scott Howittvice president and CISO, MGM Resorts International

Howitt: After the Target breach, there was a big panic amongst retailers. Many companies had let their security lapse, and some did not even have a security department, let alone the role of CISO. A group of concerned retailers met at the National Cyber-Forensics and Training Alliance in Pittsburgh and the idea for the Retail Cyber Intelligence Sharing Center was born. A group of about 10 companies led the charge on establishing the 401(c)3. JCPenney was one of the founding companies, and I have been on the board of R-CISC since the start. The sharing of cyber ideas and threat analytics is rewarding because you are not only helping your company, you are helping the cybercommunity as a whole. I feel very fortunate to work with the members of the R-CISC and have enjoyed seeing it grow from an idea to vibrant organization.

When you speak to others about cybersecurity, within your organization or beyond, what are your most typical bits of advice?

Howitt: Slow down and don't be so quick to click on that link or open that attachment. Cybercriminals prey on people's instinct to complete a task or help a person in distress. That is why so many of the phishing attacks use tactics like 'Someone has your password, reset your password now,' or they will use tragic events like natural disasters to lure people into giving out their information. If you feel you need to reset your password or you want to make a charitable contribution, go directly to the website and do it; never click on links.

About the author:
Alan R. Earls is a Boston-based freelance writer focused on business and technology.

Article 1 of 6

Next Steps

More on the elevation of the CISO role

Does your organization really need a dedicated CISO?

Why cybersecurity skills are hard to find

This was last published in December 2016

Dig Deeper on Information security certifications, training and jobs

Get More Information Security

Access to all of our back issues View All