This article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.
Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.
We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!
Checkmarx: How did you first get interested in security?
Gary: In the military I read the book Information Warfare that fascinated me with the idea of how computers and networks could be used as weapons. After that, I became interested in security and how networks and computers could be hacked and proceeded to build a lab in my garage to teach myself – my wife wasn’t happy with the lab.
How did being in the Information Security sector in the Navy prepare you for your future CISO roles?
One of the main things it did to prepare me for being a CISO is it showed me the importance of “visibility”. As a CISO you really need to understand what’s important for your organization, what strategy is critical for your business and the workflows, data and technologies that are required to execute it.
What changes have you seen through your years in InfoSec?
I’ve noticed InfoSec has mainstreamed to a valuable part of an organizations portfolio. Companies funding InfoSec and using it as a business enabler are more nimble and able to absorb a security hit and come back from it quicker. When those that ignore or marginalize InfoSec have a breach, they’ve underestimated their risk exposure and pay the price for not being properly prepared. As for attack methods and technology, technology has become more sophisticated and the money poured into developing attacks to breach this technology has also increased. What concerns me is many attacks now take well-funded, coordinated teams to exploit vulnerabilities and many of the new technologies being developed lack security at the basic levels, with security added-on later. “Security–by–Design” should be a mandatory requirement.
What were your biggest challenges when you first became a CISO? How has the role changed over the years?
Some of the biggest challenges when I first started as CISO were realizing you need to quickly meet your stakeholders and do an inventory. You can’t protect what you don’t know exists or how critical they are. Over the years, I’ve developed a system of five steps when I come into an organization, because the role of CISO changed from a technical role to one requiring knowledge of IT, Cyber Security, Risk Management, Compliance and Business. These five steps give me a more well-rounded view of an organizations’ enterprise IT architecture, the maturity of its security program and a better view of what’s important to the business so I can then proceed to reduce its risk exposure and protect it.
Why is continuing your education and reaching higher qualifications important to you? Do you think continuing your education is particularly important in information security because of the constant advancements?
To me, [InfoSec professionals] have to stay with the technology/threat curve. Cyber is a very dynamic space and I have come to realize that to be an effective CISO and provide value to my organization I need to be educated on the threats that we face, the new technologies that we want to implement and the risks involved to our IT portfolio.
It is not my job as a CISO to tell one of my stakeholders “No” you can’t implement that technology; instead it’s my job to say “Maybe”. However, if you say maybe you need to be able to provide alternative solutions that meet the risk portfolio and technology road-map your organization has in place and be able to provide “workarounds” that still enable your stakeholders to be innovative without endangering your organization. You need to be educated on new technologies and understand the enterprise architecture.
Besides certifications, how do you stay informed on InfoSec news and innovations?
I’m on the Board of Directors for several Cyber Security Startups and am Co-Chairman for Cybertech, a Cybersecurity & Internet of Things incubator. Being involved at this level with startups and professional organizations such as ISSA, ISACA and Infragard keep me informed of new technologies and continually educate me on the evolving threat landscape.
I also make it a point to go to Blackhat & DefCon every year. I go for the training and network opportunities, but I also go to be humbled, to meet people way smarter than me who I can learn from and gain more context into issues in cyber security or data privacy that I had not thought of. Coming away from these events I typically have lists of things that will keep me busy for the next year.
What are the biggest challenges to being CISO of an entire city?
Some of the biggest challenges we face are dealing with disparate technologies and the City’s constant state of change. Cities of this size use data & technologies differently than the commercial world, keeping technologies for longer before they refresh them, making it challenging from a risk management perspective. Along with that, other departments wishing to provide the latest services to citizens require some type of new technology that doesn’t always mesh well with incumbent legacy technologies. This requires the IT Department, and security and network teams to get creative in resolving the risk issues and upgrading plans for how new technologies can be implemented.
How do you get budget buy-in from the CIO you report to? And how much input does he have on your day-to-day InfoSec activities?
I manage the budget for Cyber and work with the CIO and the Deputy Chief of Operations to get their priority on which projects should be funded first. Once I find that priority, I then develop the budget, plans and projects required. Then the CIO and I have our one-to-one meetings where I brief him on completed and on-going projects and the state of planning for future projects. As the CISO for the City I am expected to be able to manage my teams so he can focus on the overall strategy of IT for the City and I execute that strategy.
What are the most important aspects of being a CISO in any organization?
One of the most important aspects of being a CISO is realizing that “Value” is not determined by you, but by your stakeholders. They will tell you what data, services, networks, and intellectual property is critical for the organization to survive. Once you know this, you then have your next critical aspect of being a CISO in an organization and that is “Visibility”. You now have visibility into the network of stakeholders you need to manage cyber in an organization. You have visibility into the key components of the organization that you must plan, deploy & manage a security program around. You now are visible to your stakeholders and C-Suite which will enable you to push cyber forward in your organization to reduce its risk exposure and put a secure, stable platform in place to protect it so they can now be innovative and compete against their competitors.
What is one piece of advice you’d give to fellow CISOs just starting out?
I would tell them to understand it is going to take time, to not rush it and learn to trust and lead their teams. They need to understand their business and meet their stakeholders to develop their cyber program for the organization. I would tell them to build a cyber-certification map and use it to work on new certifications. To always stay curious and keep learning so they can protect their organizations. I would tell them to read my “So you want to be a CISO” article I posted on LinkedIn to have a good blueprint for building out their first Cyber Security program.
What threats has your city faced in recent years and what are the biggest security threats you see for 2015?
The threats we face are just like any $4 billion dollar business of today, just multiplied because cities use technology and data differently than commercial companies. Cities not only have the compliance regulations of companies, they also have state and local laws, along with public records act request. So security threats for cities can be quite unique because of the disparate networks they maintain and the multitude of technologies they employ to provide services to their citizens.
The biggest threats I see in 2015 are continued attacks against protocols that are the building blocks of the Internet and eCommerce today. I expect we will see more attacks on these protocols that will be harder to remediate because they are so imbedded into our deployed technologies. To me there are so many unseen risks with these newer technologies (e.g. the Cloud and IoT) in that many of them are so complex it’s extremely hard to project the vulnerabilities that will surface and require remediation – which is why I am continuously educating myself on them. As a CISO I find it pays to be a little paranoid, I actually sleep better.