Blending Art and Science in Cybersecurity

With responsibility for protecting peoples’ life savings, assets, and more – CISOs in the financial services industry have a uniquely challenging and interesting role. The heavy regulation and elevated customer expectations could make for a pressure-cooker-like environment. But for the industry CISOs I talk to – they view it as a great honor and privilege to serve their customers, and they have learned to keep their cool when things get tough.?

?That’s why I was so thrilled to chat with my latest Afternoon Cyber Tea guest, Stacy Hughes, vice president and Chief Information Security Officer at Voya Financial. Stacy has over 20 years of experience leading complex IT initiatives within Fortune 500 financial technology organizations. Prior to her role at Voya, she was CISO at Global Payments Inc. and has held leadership positions across governance, compliance, accounting, and audit functions.??

?I think other vertical industries can learn a lot from the security, compliance, and privacy practices within financial services, so I’m hopeful there are a few relevant insights for readers and listeners. Here are some highlights from our discussion – the full episode is available here .??

?The art of cybersecurity?

For cyber defenders, finding fresh and innovative ways to protect against cyber threats is in many ways an art form. Adapting, thinking creatively, communicating effectively, and solving complex problems are all qualities of artists. I had heard Stacy describe how she think about the art of cybersecurity and wanted to understand her point of view more. She briefly discussed how she thinks about the art of cybersecurity at Voya, saying, “The art of it requires really partnering with our business, with application owners and our development teams to really fully understand how applications work and determine what is unusual behavior.”?

?The science of cybersecurity?

Cybersecurity is also, of course, a science, utilizing scientific principles to identify, analyze, and mitigate risks and threats. Throughout my career, I have found there to be real magic at the intersection of art and science in cybersecurity. When I asked Stacy about this, she agreed, and offered an example of how she sees the pairing of the two, stating, “The partnering of art and science is what is utilized by teams to really help develop risk-based alerting to find that needle in a haystack. For example, if I were to log in from an unusual location, it may be normal activity for me, but it could also be a threat actor. Or I'm working remotely today from somewhere else other than my home. However, for example, if I log in to a new application that I historically have not utilized before, then that could be defined as potential unusual activity. So it's like the art and the science works together to help provide a very good perspective on the threat landscape and alerting.”?

?Advice for aspiring CISOs: experience outside of cyber?

With each of my CISO guests, I ask what tips, tricks, or advice they would give aspiring CISOs and cyber leaders. Stacy offered some sage advice for people to learn the business they’re in, and gain experiences that provide exposure to key stakeholders, commenting, “Before we become CISOs, my advice is to learn the business and take other roles in an organization that give you exposure to key stakeholders and business areas. I think really having that business context helps provide a foundation on how to secure an organization. And with those developments, you can really build great partnerships. With those partnerships, you can also leverage them as you evolve in your career. And when you do move up to the CISO level, then you already have those regular meetings, that regular rapport already established.”?

?My conversation with Stacy was fascinating and full of insights for those aspiring for a leadership role in cybersecurity. I hope you will give it a listen. For the full episode and more Afternoon Cyber Tea, visit www.afternooncybertea.com . New episodes are released every other Tuesday and are available on the Cyberwire and most major podcast platforms.?