Lucia Milica, global resident CISO at Proofpoint, talks about how the CISO role has evolved and the challenges that CISOs face when interacting with the leadership team. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O'Donnell-Welch: I would love to hear more about your own background.
Lucia Milică: So for me, I started into this space very early on, I began coding when I was 12. I am born and raised in Romania. So I began coding at 12. And I studied computer science in high school, I moved to the Bay Area very early on, and my first job was doing Y2K compliance for Wells Fargo Bank. So that was sort of the beginning, into the tech sector. But I think what's unique about my skill set, I'm passionate about law and technology. I love them both equally. Cybersecurity and privacy are both very near and dear to my heart. Now, taking a step back and looking back when I first started, I wouldn't necessarily have thought that I would end up in cybersecurity, primarily because cybersecurity was not a defined space nearly 30 years ago. So technology was a big area of influence. And for me, it was really the blend of technology, business, and law that I think ultimately have led me to where I am today.
I do feel that in many ways, I am a product of the CISO evolution, just kind of reflecting back at my career. So as I mentioned, I started early on doing coding, I got into IT infrastructure, so started as a systems engineer, as a sysadmin first, and over time, sort of graduated to a systems engineer role, like everybody else early in the days in the 90s, spent a lot of time with the MCSE certifications, and all the various different technology that sort of brought me up to being a systems engineer. But if I kind of take a step back and look at the pivotal steps, it's really moving in from systems engineering to more specifically around Active Directory and Exchange. And if we think of the threat landscape today, email is still one of the top threat vectors across the board and I've been focusing so much as an Active Directory engineer and expert, it was very much focused around access controls, authorization needs based permission, RBAC, I spent many years doing RBAC implementations. And this is way before we talked about needs-based permissions. So that was a big stepping stone. From there it was always a natural progression towards eDiscovery, and records retention. And it was probably my love for law in the background that has played a little bit into that. I didn't go to law school until years later. But at the same time, while I worked full time, I went to school at night. So all of my degrees were done as I continued to grow and progress in my career. And I feel like each one of my degrees really helped from undergrad to my MBA to my JD later on, and Masters in cyber, they all helped along the way with putting the business in perspective and understanding both the tech and the business side of the equation and really honing into the risk. But as I moved on from the natural extension from email, and running Exchange systems and architecting new technology, that sort of morphed over time to, as I mentioned, e-discovery and that investigation side of the house. I think that first stepping stone towards security, it was still very early on, and that sort of move towards more investigations, Governance Risk and Compliance became a big piece of it. But then from there, the next piece was getting more involved into M&A and integration as a result of M&A, that came into who's accessing what, network connectivity, safety, etc. to IP protections or intellectual property protections, and over time, got into running a lot more of the IT infrastructure space and being the only person with a security background in the room, it was a natural progression in my career into, you know, taking over security, taking over intellectual property. It was around that time when I started law school, that a lot was happening around data, supply chain vendor risk became a bigger concern. And I was one of those people that raised my hand to take it over. Like, let me figure it out first. So through that, they all helped more the CISO that I later became, but those are all I think, stepping stone that that made me a well rounded technology and business leader, where I could bring all of those pieces into one.
Lindsey O'Donnell-Welch: Was there any pivotal moment that made you decide to go down the CISO track?
Lucia Milică: That's probably now about 10 plus years ago. So at the time, I was running security without the CISO title. So I built security from the ground up, I was the security person and the privacy person, but I just had a VP of infrastructure type of role. And it was that time that I got more and more down to the data governance track, that I realized that okay, this is a conflict of interest, it was probably very early on and it was in law school, that I started thinking more in terms of risk, probably was my first year of law school, that I raised my hand to my CIO, and I said, "Look, I can do it all, so there's not a problem. Can I do it?" I believe that it is not right for me to own everything. I think we're getting into a point of conflict of interest. And if I am to take those like, which side do you want to be? Do you want to have security only, do you want to have security and privacy, privacy only or IT infrastructure, and that was a pivotal moment, when I said, "Well, I love IT infrastructure." And at that point, I was in it for over 20 years. So that's how long that's been. I felt like I knew IT. But security and privacy were something that I was so passionate about it, that's when I basically raised my hand and said, "I would love to just own security and privacy." And we need the right checks and balances, we need to ensure that we there is no conflict of interest in between. But I can put in all of those processes. And at the time, I was building data governance and overall security and privacy governance and implementing ISO 27001. And I was going through the various different layers of protection and checks and balances, it was very clear that I needed to decouple my ownership of IT infrastructure from the security side. And that was probably while I was trying to do everything prior to that, that was a defining moment where I said, "I'm only going to do this, this is where my passion lies. And this is where I think I can be more impactful for the organization."
Lindsey O'Donnell-Welch: What are some of your responsibilities?
Lucia Milică: So I'll tell you my day to day in my previous role compared to my day to day in this role, because I think it's really important. So in my previous role, I own all aspects of data privacy and security, from corporate security to product security. So DevSecOps, privacy and security by design, and data governance, across the board and a day in the life was anything from meeting with execs trying to drive product consensus, trying to drive a culture of security, understanding what are the business goals and trying to achieve how I could enable those business goals securely, and really sort of that building that consensus and risk profile for the organization. I do feel that an effective CISO should have a strong business acumen. And so a lot of my job was probably interacting with the executive team and their deputies, their direct reports in the organization in terms of driving awareness, data ownership, controls, etc. And then there's the other aspect of it, of course, is you're always on call 24/7, working with your security operations team, making sure they have the eyes on the glass to see what's happening. So sort of a constant shift between business strategy, business enablement to threats and trying to make those decisions in near real time. Now, fast forward to today, in my current role, I run a team of advisory CISOs across the globe, so I don't have the internal operations responsibility as I did in the previous role. In this role, I'm primarily focused on the eight CISOs in my team around the globe, and we spend our time advising customer CISOs across the globe, which is a value-add for them as being customers, around what is top of mind, what are the top threats, what are some of the best practices that we as operational CISOs - every one of this was my team had been operational CISOs prior, so they've had experience in those roles - our CISO community broadly, in terms of what's top of mind, what are some of those best practices? So a lot of what I do today is coaching and educating... and it doesn't matter where you are on the spectrum, I can be talking to a Fortune 10 global CISO or I can talk to someone where the company has 3,000 to 5,000 employees, right? So doesn't really matter for us aware on the scale, but if someone has a challenge or a program, they're trying to undertake, like, "hey, I need better board metrics, you know, what are some of the other CISOs doing? What are your best practices? What have you learned about it? Can you help me on my board deck?" As an example, or "I'm undertaking a Data Governance Program end to end, what have you learned? Or what are others doing? How have you tackled this challenge? How are you working with execs?" So it's really being that trusted partner and sounding board to our overall sense of community that set the core of my role today. And that has been definitely a shift in mentality when I took this role. I wasn't quite 100 percent sure that this was the right next steps, but I was very much driven by wanting to be impactful, and be able to help more than one company at a time. Being in the operational role was fantastic, right? Because you can get into the depth of that technology can really shape how you mature the security program and drive the culture of security. But you do so one company at a time. So that's time that you invest in transforming that program; in this role, it gives me the opportunity to impact more than one company at a time. And really, I wanted to, to use my knowledge and experience to be impactful and be able to give back to the CISO community.
"I do feel that in many ways, I am a product of the CISO evolution, just kind of reflecting back at my career."
Lindsey O'Donnell-Welch: How has the job of CISO evolved over time?
Lucia Milică: Yeah, so it's interesting. And I think I mentioned earlier that I do feel that I am the product of the CISO evolution. Over time - it was maybe 20, 25 years ago when I started what was a very technical role - you probably know that the CISO title did not really exist. It was just a portion of someone's responsibility, which was the case for me. So that role, I think, has started as a traditional technical role to what now has shifted to more of a business and a risk role. And while you still have to have the technical acumen, I think there's still a stronger need for business and risk acumen and being able to communicate. But just thinking through the last 10 years, the role and complexity has changed and morphed, while we traditionally just focused on intrusion, perimeter-first technology, to a business enablement role. The digital transformation has really accelerated business enablement for a lot of organizations, but brought with it a number of more complexities. We live in a very decentralized mesh technology world, and so is the data. And when you add to that the sophistication and volume of cyber attacks that we have seen over the last several years, it really has elevated that cybersecurity role to the board level in most recent years, but also the skill set that are required for a CISO to be successful in their role, shifted from needing to understand industry to now needing to understand framework and policy and governance and oversight and geopolitical issues, nation state attacks, to business enablement to rapid emerging tech, as just a few of the examples of how this role has changed. Now, in addition to that, you have to think through what is your impact for the company's bottom line, the P&L? Cyber risk is business risk. And it's really important that a CISO is able to understand the business goals, understand the board's responsibility for creating shareholder value and be able to enable the business to achieve those goals while doing so securely. So those conversations were not taking place, 15, 20 years ago - not even 10 years ago - right? We started seeing that shift. But that has really been drastically accelerated over the last several years due to the digitization and commercialization of our overall business systems that we heavily rely on to enable businesses.
Lindsey O'Donnell-Welch: Do you see a future evolution of the CISO role continuing in the future?
Lucia Milică: Oh, absolutely. And we've seen a number of headlines, of course, in the news recently. Gartner came out and said that they expect that by year 2025 that cybersecurity will become a priority for boards, which it absolutely has become - and I'll give you some stats from the recent board of directors survey that we conducted - But also they said by year 2025, 40 percent of boards will have dedicated cyber committees or at least one qualified board member overseeing cyber risk in their organization. We have started seeing, for example, the Delaware Supreme Court Justice Chief Justice Collins Seitz said that boards must be able to demonstrate proactively they that they are thinking about systemic risk within the organization. Twitter, of course, we had Mudge's testimony from the Senate about the capability of the executive team to understand the scope of cyber risk broadly, you had the SolarWinds shareholder derivative. I mean, there's so many different breadcrumbs throughout. We recently conducted our Cybersecurity: The 2022 Board Perspective, where we surveyed 600 board members from organizations of 5,000 employees and higher, in asking about trying to understand their sentiment, vis-a-vis cybersecurity, but also how do they engage with their CISO, what did they value most in the CISO, etc. And a few other stats that I think are really important is that while CISOs and board members came from different backgrounds, diverse backgrounds, they're really bringing a different color of their overall perception of risk broadly. And so one example is the disconnect between CISOs and boards when it comes to security. We've seen in this report that 65 percent of board members globally believe that their organization is at risk of material cyber attacks in the next 12 months. And that compares to 48 percent of CISOs. So those numbers are a little bit different. Now in the U.S. specifically, this disconnect is even higher amongst all the countries that we surveyed, we have 78 percent of boards as opposed to 34 percent of CISOs. So you've seen some example of that disconnect between CISOs and boards.
Lindsey O'Donnell-Welch: What are the top challenges that CISOs face in interacting with board members or other C-Suite executives?
Lucia Milică: Absolutely, I think there are a number of other challenges. So, one of the questions that we had is about seeing eye to eye with their CISO, we asked the same question of the boards. And of course, you have a higher number, and I don't recall exactly the number, but there was somewhere in the 60th percentile of board members believe that they see eye to eye with their CISOs versus only 51 percent of CISOs believe that they see eye to eye with their boards. And there are a number of other stat throughout. But to me it really goes to the communication disconnect that we have. And it's no surprise that we saw the Gartner prediction that proposed SEC cyber rules that are slated to come out in April 2023. So the jury's out about what that final rule will look like, however, something that is clear is that we've seen a trend of the need for cybersecurity expertise on boards. And while of course, you know, board members have a wide array of experience and knowledge, etc. Cyber Risk is a complex topic, it really does require a good level of understanding on how this manifests down the rabbit hole to truly ascertain the full systemic risk impact that cybersecurity can have on the broader organization, but also the ecosystem outside. I mean, take for example, you know, SolarWinds and how that had ripple effects with their customers across the environment. And we've seen that with Log4j and Follina, and some of the other ones as examples of how this can get out of control really quick. So, being able to truly ascertain cyber risk as part of your broader business risk is not only a communication matter, but it's also the ability to understand and absorb that information. And I think you'll need a little bit of both. While CISOs need to continue working on translating technology and technical risk into business risk and be able to better deliver that risk story to their board, at the same token the other side of the aisle, right, we need the board to be able to understand the true implication of of cyber risk on on the ultimate shareholder value and business goals.
"Cyber Risk is a complex topic, it really does require a good level of understanding on how this manifests down the rabbit hole to truly ascertain the full systemic risk impact that cybersecurity can have on the broader organization, but also the ecosystem outside."
Lindsey O'Donnell-Welch: When you're looking at a business do you have this concept of security-focused culture in mind? Do you start there and who needs to be involved in those conversations?
Lucia Milică: So for me, it starts at the top. You have to have the support of the executive team. So it's interesting, right? Because while you have a number of boards and execs that understand that cybersecurity matters, there is a difference between knowing that it's important and actually prioritizing. So to me, it's really, really imperative that you have the right support at the top, that you have the right executive backing, to be able to be impactful and make a difference. Now, successful CISOs able to build and drive that culture broadly around organizations, there's a lot of awareness and education that needs to happen, that can be abrasive or can be mandated, right? So while you need to have that support, you need to do so in a way that you can look not only on the bottom line, but how are you able to enable your end users and the broader employee community to do their jobs and do so securely? Their role is not to understand all the intricacies of security risk. And while it's important, cybersecurity is everyone's job, and everybody's responsibility, and driving that culture is easier said than done, right? Because it takes time, it's multi year, and it has to be multifaceted. At the same token, we can't expect every one of our employees to be cybersecurity experts. So that has to be somewhere in between, in the middle between driving the culture, driving awareness and building those behaviors over time and understanding the user behavior. There are also aspects of it to where you have to be able to implement the right controls, to pick up everything else, so that users can do their their job securely. But it really has to start at the top, you need to have a top down and bottoms up approach. I will give you an example; my last role, while I spent a lot of time doing awareness and education with our CEO and our executive team across in terms of business impact, and valuation impact and risk and having those tough conversation around risk and mitigations, at the same token, my team and I would spend time with our engineering team doing brown bag lunch and learn events in terms of secure coding, and what to be aware of and focus on vulnerabilities and why things matter. So you have to be able to dive into the details with everybody else, whether there's engineers or customer success or IT across the organization. At the same token you need to be able to elevate that conversation up with the board and executive team and meet somewhere in the middle. That's a transformative project, it takes time, there is a number of nuances that go into it and into making one of those programs successful. The check-the-box security awareness training and phishing test is not enough. You need to think through those systematically and and in a multifaceted way.
Lindsey O'Donnell-Welch: Are there any security threats that you think that organizations should be most aware of right now, especially going into 2023?
Lucia Milică: Absolutely, I want to call out a couple of them that actually were in our Voice of the CISO report, because I do think they are very much still top of mind for the security leaders across the globe. And one, the biggest one that we have seen a huge increase is insider risk, insider threats. That in itself has been not only called by our Voice of the Cisco - that we interview 1,400 CISOs globally - as the top cyber threats that they are focusing on. But we have also seen in a number of our own reports the insider threat rising exponentially across the board. So I think that is going to continue to be a huge area for for security leaders across the board. Interestingly, though, in our board report that was lower down on the list. The second one that continues to be an area that we all struggle with is supply chain risk. There's not a clear answer to solving it. We all know it's a challenge. We all rely on the limited toolsets that we have today. But that I think is a big area of concern in terms of cyberthreats and one that we're all trying to wrap our heads around.... And really, I think, at the core of it all, those are some of the examples, we really need to take a step back and get back to the core, which is that cybercriminals are continuing to target and exploit people. And we have to be able to focus on that multi-layer protection and strategy against the social engineering and overall, the human factor exploitations. We see that more than 90 percent of threats observed require some sort of a human interaction to execute. And those threat actors are regularly leveraging topical, timely, social, relevant themes as lures. And it's really important to be able to double down and focus on that human element as a defined layer of defenses for your organization, as a non negotiable. We've figured out our basic hygiene, and that's absolutely critical, you need to still focus on the basic hygiene, focusing on the people layer is key. And then last, but not least, data, as we know, is at the core of what threat actors are after, data is the new currency, as we all know. So focusing on defending the data broadly is really, really important. And actually, both the Voice of the CIO and the Board report both have information protection data governance, data classification as the top area of focus for the next 24 months for both CISOs and board members, which really underscored the need to focus on a broad data governance strategy.