Profiles in Leadership: Michael OwensEquifax BISO on the Need to Create a Cybersecurity Culture Across the Organization
All employees should consider upholding the security of the organization part of their job regardless of their official role at the company, says Equifax Business Information Security Officer Michael Owens.
Owens says creating an organization-wide cybersecurity culture is easier said than done and requires consistent effort as well as support from executive leadership. He recommends a carrot-and-stick approach that incorporates both bonuses and incentives for workers who are highly engaged with improving the company's security and repercussions for employees who don't participate in the training (see: Profiles in Leadership: Octavia Howell, Equifax Canada).
"The underlying aspects of ensuring that you're doing the right thing technically is still important," Owens says. "But as cybersecurity becomes top of mind for everyone, it becomes more and more important that we learn to talk about the challenges and opportunities we face from a business perspective and ensure that's understood across the organization."
In this interview with Information Security Media Group as part of the CyberEdBoard's ongoing Profiles in Leadership series, Owens discusses:
- How the security landscape has changed over the years;
- How joining the Marine Corps influenced his career path;
- His experience in working with the Ukrainian government to boost security.
Owens is a distinguished cybersecurity leader with more than 25 years of experience in startup, corporate, government and military organizations. He has been at the vanguard of some of the most complex issues dealing with security risk assessments, breach mitigation/recovery, threat intelligence sharing and diversity within the tech and cybersecurity industries. A transformation leader and sought-after speaker, Owens frequently keynotes on topics related to cybersecurity, cyber policy and national security matters. In his current role, Owens helps to safeguard Equifax applications and data. Prior to this, he led the global cybersecurity, cybercrime, and critical infrastructure program for EY within the forensics, investigations and dispute division. In that role, Owens was responsible for the global strategic direction and standardization of threat intelligence, cybersecurity assessments, audits and incident response services. Before this, he was a key member of the public sector advanced service team at Cisco Systems. During this time, he led cybersecurity, information security risk and IT strategy engagements for government agencies and universities across the Southeastern United States and New York.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Michael Owens. He is the business information security officer at Equifax. Good afternoon, Michael, how are you?
Michael Owens: I'm well, thanks, Mike.
Novinson: Let's talk a little bit about leadership today. Want to get a sense of what are your biggest priorities as a cybersecurity leader in your organization?
Owens: I think the biggest aspect to cybersecurity leadership is empowering others and creating a cybersecurity culture throughout the organization. A lot of people talk about culture. But it truly is one of the hardest things to do to implement, but also one of the most rewarding things. Security has to be a process that everyone buys into. It can be tough. I think, buying into changing the culture, infusing that culture into the organization - any organization - is the key to being a good cybersecurity leader. I think the other aspect is that within this profession, things are always changing. So being adaptable, having foresight, and ensuring that you are working throughout industry, not only in your business, but looking externally to see what things are going on, and being able to adapt to this.
Novinson: In terms of building that security culture, what have you found to be the most effective strategies or best practices to do that?
Owens: Consistency; gaining buy in from the CEO on down of just how important security has to be, and every company is different, we have to acknowledge that, I think. But when you're able to get support from the executive leadership, this is something we need to have is key. The second thing, which I mentioned earlier, was consistency. It has to be something that is literally spread through every single part of the organization, no matter what type of industry you're in, empower everyone to feel like it's part of their job duty, it may not be in their job description, but it's part of their job to ensure that they help uphold the security of the company.
Novinson: What are some of the ways you've gone about doing that in terms of spreading security throughout the organization? How do you do that, from the perch of the CISO?
Owens: There's multiple to two different ways. There's the authoritarian strong old practice of tying it to the HR aspect. If you don't do this, therefore, they are repercussions because of it. I mentioned before the consistency perspective, so cybersecurity awareness training, and not only conducting the training, but also, again, building it into the organization itself. So testing responses for phishing, for example, and making sure that something that's done on a regular basis. I know this is done, but also reported out. I found it helpful to take those results on a monthly or quarterly basis, and share them back to the employees. So they can see for themselves what's going on. A cybersecurity awareness training program is it is part of what most companies do as well. I think the last thing is incentivizing people. It kind of goes with empowering, but also incentivize them to where, as we do see better results, there are there's some sort of incentives that go along with it, potentially, bonuses, which everyone seems to like, and various other things.
Novinson: So, as a cybersecurity leader, what are some of the most valuable skills you've drawn upon?
Owens: I think that's changed over the years. I think I used to say, how technically astute someone was, or with my own background, being someone who grew up from the Help Desk, into the wiring closet and routers, switches, firewalls, truly understanding how technology works, and then understanding the threat vectors, and ultimately how to mitigate those to growing into a global cybersecurity leader, where it's truly about risk, and how to add better value for the organization for the company. It's in the same kind of linear line. But I think at some point in time, you start to focus as a security leader on the risk and how you can mitigate or transfer risk within the organization. That's how you ultimately bring value. The underlying aspects of ensuring that you're doing the right things, technically is still just as important. But I think as we continue to evolve as an industry, as cybersecurity becomes top of mind for everyone, that it becomes more and more important that as cybersecurity leaders, we learn to talk more about the challenges we face and the opportunities from a business perspective in ensuring that that's understood across the organization.
Novinson: Very interesting. What are a few areas within the cybersecurity profession that you're particularly passionate about?
Owens: Myself personally? I would say it's where cybersecurity intersects with national security and geopolitical space. That's not the norm, does not have in many more professional, private companies, but I think it's vitally important as the world becomes more globalized, as many companies start to have either branch offices or suppliers and vendors that are in other countries and cybersecurity becomes more global threats, as we continue to see. I think it's important that we look at it from that aspect. I'm a Marine Corps veteran, I joined the Marine Corps when I was very young. So that aspect of national security is still important to me in understanding now kind of the intersect that we have with cybersecurity being national security and national security being part of cybersecurity is one of the areas where it interests me.
Novinson: How did your time in the Marine Corps influenced your decision to go into cybersecurity?
Owens: Security, just from a standpoint of what we do in cybersecurity is we protect people, businesses, data information, not so much unlike what we would do in the military. This is a much different setting. But I think it has instilled in me the discipline that it takes also, the ability to empower people, I mentioned that earlier. But in the Marine Corps, where there is a chain of command, if you will, you see that replicated, but also to push responsibilities down to those that are junior and understanding the teams, understanding threats, is very common, and then understand the landscape in which you operate. So there's a lot of these kind of larger thematic type things that we hear we talk about in the private sector, which is almost hand-in-hand with military terms or objectives; without the bombs and bullets.
Novinson: What do you consider your greatest accomplishments as a leader? And how are you successful?
Owens: Building people, building junior cybersecurity professionals, elevating them, giving them an opportunity to succeed, evaluating them, and helping to push them along and navigate and mentor. This is game of zeros and ones, if you will, but at the end of the day, it comes back down to people. So my accomplishment is the teams that I've been able to build, teams I have been able to lead. Outside of that, I would probably say, having an opportunity to go to Ukraine, and work with Ukrainian government about the challenge that they're facing, and have been facing. Again, highlight that aspect of how cybersecurity is an impact around the world.
Novinson: What was that experience like working with the Ukrainian government? How do you feel someone in your role was able to assist?
Owens: I think, several ways. I think, being able to highlight cybersecurity and a part of the world that may not be getting as much attention. So I was part of a delegation of like 16 cybersecurity members from around the world that took part, which was led by now Secretary of State Antony Blinken. So that was a great opportunity to travel as part of it going to a country such as Ukraine. I had never been there before. But just working with people and the acknowledgement of the challenges that we're facing, and things that we're seeing and understanding. There's things that we're seeing right here. In the U.S., the same challenges are happening around the world, even in countries that may not have the necessary budget, or resources that a company like America would have. So that alone kind of highlights my trip to be able to take part in that and help to shape ... I'll not say shape another country's national security perspective, but at least add to it.
Novinson: Of course. What advice would you have for aspiring CISOs or those who have just entered the role?
Owens: Work hard, be adventurous. Take opportunities that come your way. One thing I think a lot of people fail to understand, we all joke about entry-level jobs, and they want eight years of experience, right? But it's various different types of experience. When I look at hiring cybersecurity junior folks, there's intangibles that I look for. I think a lot of people kind of miss the idea of once you become a CISO, it's like you're a master of all of this. Hopefully, you're a master of putting good people around you. Those people could be communications people, they could be good technological people. They also could be people that are very good at organizing and Chief of Staff type people. So I think being an evaluator of good talent is part of it. Then I also say if they're just coming in, take every opportunity. Every role that you can have, is only going to make you better if you're if your aspiration is to lead an entire security organization, having some understanding in every facet of that because it is a very, very broad role and responsibility. I think it helps; the more experience you have in different areas.
Novinson: Finally, what's the valuation of collaboration among peers in a forum, like CyberEdBoard?
Owens: It cannot be duplicated. I think a lot of times it's understated. I think a lot of these occur somewhat naturally sometimes. But something like CyberEdBoard, when it gives you an opportunity to kind of focus in on having that type of collaboration and engagement and interaction, I think is huge. Again, something that's done anyway, kind of in an informal type basis, but it's very ad hoc. This gives you an opportunity to meet so many other people who undoubtedly are dealing with the same struggles, the same challenges that you have, and hopefully have had some successes and wins, and that you can, again, have that transfer of knowledge, that inner relationship that you can build, and not just at one time; that you can build over time and realize you have people are going through the same thing and are looking for opportunity, just like you are.
Novinson: Of course, Michael, thank you so much for the time.
Owens: Appreciate it. Thank you.
Novinson: Very welcome. We've been speaking with Michael Owens. He is the business information security officer at Equifax. For Information Security Media Group, this is Michael Novinson. Have a nice day.