Tommi - Fotolia
Lenders have relied on FICO ratings to assess future credit risk for decades. Vickie Miller, in her role of CISO at the San Jose-based data analytics company, has spent years managing cybersecurity and privacy risk as the head of its information security programs. A Certified Information Systems Security Professional and Certified Information Privacy Professional, Miller received the ISE Central Executive of the Year Award 2015 from T.E.N., a national tech exec networking organization. Recently, for a time, she also served as the senior director of cybersecurity product management at FICO.
Miller has also made her mark beyond financial services. She is an executive board member of InfraGard, a partnership between the FBI and the private sector, which works to share information and intelligence in an effort to prevent hostile acts against the United States. As an extension of that program, she works with the FBI Citizens Academy, which involves individuals in leadership roles -- ranging from CIOs to ministers -- in information sessions and discussions about law enforcement, national security challenges, protecting intellectual property and more. "As part of that, I was even invited to a program at the FBI academy at Quantico, Va.," Miller said.
While Miller continues to focus on keeping FICO secure, she also offers input and advice to company teams involved in creating security-related products. "We are the subject-matter experts because we are the ones that stare at the screens, so we have a voice in seeing how the tools are developed, which is a little novel for my team," she said. Alan R. Earls caught up with Miller to ask her about the changing role of CISO as information security programs are recognized as a business requirement.
How do you see the role of CISO evolving?
Vickie Miller: If you look back at the past decade or so, there have been an increasing number of CISOs being appointed at companies across all industries, which is a great thing. The ROI of having a CISO is clearly demonstrable. I have seen statistics that indicate that losses from cyberattacks at companies with a formal information security program and with a person in charge of it are significantly lower than at other organizations.
Vickie MillerVP and CISO at FICO
FICO has always had a security focus because we serve the financial services sector, but more and more companies are [adding the role of CISO] and institutionalizing their information security programs. The Target breach led to liability for directors. Widespread visibility into that situation has encouraged a lot of publicly traded companies to invest more money in security and in terms of elevating the issue across the company. A CIO must be more understanding of risk and data privacy. What I have found personally is that I love the nitty-gritty operational and tactical things, the hunting and adversary work. But I do less and less of that as I have learned that you must become an ambassador for what needs to happen within a company to keep it secure. You need to communicate about risks and how to mitigate them. The business must know that security is inherent to what we do. You can't just say so; you must elevate an understanding of the ramifications surrounding security and engage people in making improvements.
What is your focus these days at FICO?
Miller: It is wide-ranging. There has not been a day I can think of at FICO where something new, different or interesting didn't happen. It might not be exciting, per se, but it is very stimulating to work in an environment that requires a certain breadth of knowledge. You must have diplomatic skills and a sort of thick skin and a tolerance for fatigue. But I think of some people who find themselves in jobs where they say they are bored. I can't imagine ever being bored. Some would look at this work and say that all you are doing is looking for anomalies and alarms. I must tell you some of the developments in tools are very interesting. There are a lot of opportunities to hunt for things, and there is always an adversary out there.
Is there a key to staying on top of your game in the role of CISO?
Miller: I would say there must always be a passion for learning and often for displaying Myers-Briggs type ENTJ [extroversion, intuition, thinking, judgment] characteristics.
Will the shift in CISO responsibilities affect reporting structure?
More on the rise of the CISO
FICO acquisition to drive enterprise security ratings