When I tell people I’m in security – especially information security – I usually get one of two reactions: “Wow, that’s cool!” or “Wow, that sounds really tough!”
The truth is, my job is both. It’s tough – there are threats out there each and every day. And just when we solve one challenge, two more arise. But we keep fighting the good fight with a strong and talented team – because at the end of the day, consumer trust in our brand is everything. And that’s what I want my team to be able to deliver. But I also want them thinking about what’s next … being able to anticipate the next problem – even better, fix it – before it happens.
I’m often asked, “What keeps you up at night?” It’s a fair question, given the field we’re in. For me, it’s much less about the next virus that comes out, or the next software patch that we need to deploy. Those are table stakes when it comes to working in security today. Don’t get me wrong – they’re important, and we dedicate many of our smart security professionals to make solving for these challenges their mission each day.
In my mind, our field has three big areas that we need to address:
- Unsuspecting/uninformed insiders
- Development and availability of new technologies
- And perhaps most importantly, a shortage of information security professionals in the industry
When I think about unsuspecting or uninformed insiders, I’m talking about your average employee. He or she is focused on getting his or her job done every day. They’re not always thinking about security – certainly not as much as security professionals, anyway. But they’re an important asset for your team. With a little effort around education, you can bring employees up to speed in the latest types of potential security issues, and they can be your first line of defense when it comes to challenges you’re facing as an organization.
At MasterCard, I’ve shared with our employees that security is truly everyone’s responsibility. We conduct regular training with employees as new threats emerge to make sure they know what to look for, and are savvier in their day-to-day work to things like phishing, spear-phishing, and other social engineering tactics.
We’ve instituted a program we call our “Phishing Tournament,” in which employees who regularly turn in suspicious eemails to their junk folder instead of opening them or clicking on the links inside them are rewarded for their efforts. These are eemails that make it through our highly tuned filters but are still recognized by employees as potentially damaging. My team established a point system based on the potential damage that a message with bad intent could cause. And, we reward the employees with the highest point total quarterly.
Another concern I have is the ongoing emergence of new technologies. Ironic, considering I work for a technology company, right? But I have to be vigilant when it comes to what we try, and when we try it. It’s certainly a balance. We want to take advantage of new technologies when they come out, as definitely do our business partners. But we have to couple this need with making sure whatever technology we bring into the company doesn’t cause any harm to our network and systems. Consumers count on us to being able to pay for the things that matter to them, and we need to deliver on that promise.
So, we take a test-and-see approach to new software and platforms. We conduct due diligence screening to make sure that the new software will not only help accomplish our business goals, but is safe for our environment at the same time. We continue to work on making this process thorough but fast. It’s a constant balance for the organization, as we look to make sure we’re taking advantage of the latest technologies to provide our customers with the best experience possible.
Finally, I’m constantly on the lookout for talent for the security roles that I oversee at our company. At times, this can be very challenging, since although there is a tremendous amount of opportunity in this field, it’s a new field of study for many colleges and universities at this point. It’s rare when you encounter someone with years of experience in this field. And it often means that you’re trading talent with other companies, instead of being able to grow your staff internally. Not a long-term solution, to be sure.
I think that those of us currently in the field have an opportunity and a responsibility to change this. We can do so in a number of ways, but the way my team is choosing to do it is direct engagement with the colleges and universities in the cities where we’re based. By working with our Information Systems and Cybersecurity departments on the more advanced programs, we’re creating opportunities for our employees to speak to university classes about the types of jobs that are available to them in the security field. We’re looking at mentoring opportunities for schools with existing security programs. We’re sponsoring hackathons in partnership with the colleges and universities. And, we’re bringing students on-site to meet our team, and experience what we do each day.
The results have been fantastic with a lot of interest from students newly focused on the cybersecurity space. Many simply weren’t aware of how much the field has grown, and the variety of available jobs. I think each of us needs to continue to help build awareness for this amazing field we’ve chosen, and work at bringing smart and talented people to our teams.
I think if we can, as an industry, focus on how to continue to demonstrate our value to the businesses we support, while at the same time, partnering and mentoring the next generation of security professionals – then that’s a win-win for everyone.