Being a CISO “is a lifelong learning adventure,” says Roland Cloutier.
He should know: His professional trajectory has taken him from military law enforcement to Global Security Chief at Tiktok and soon, a special adviser to the mobile video hosting service.
“Don’t think because you have one certificate that you’re great for the rest of your life,” Cloutier said. “Make it your passion to learn about your trade, your craft, your business. Whether you’re 21 or 51, you need to be a continuous learner in what we do every day.”
Bitten by the cyberbug
It was that thirst for knowledge that got Cloutier into the CISO business to begin with. While working in law enforcement for the military, he discovered that many of the cases dealt with technology and computers. At first, he’d confer with friends who’d help him, but at one point they suggested he go back to school to learn the material firsthand.
“I just got bitten by the technology and cyberbug,” he recalls. “I loved it.” Within a week of graduation, he had a job, and soon discovered that there was a void in developing crucial infrastructure programs for corporations. He built programs for EDS, then went out on his own with a company he later sold to Global Network Technology Services (GNTS).
After he helped three other companies build their capabilities, the CIO of EMC invited him to be the company’s first CSO. From there, he went to ADP to build its global programs, and most recently, he was asked to build Tik Tok’s Global Trust Initiative.
“My specialty is converged security, how do you look at all the aggregated areas of security and put that under an umbrella organization that can represent the risk that the business has and solving those risks without having four or five different people going to the CEO saying the same thing,” he said. “How do you get accountability for the totality of security risk and privacy programs in one organization?”
Understanding the context
Starting out in the military gave Cloutier an excellent foundation for understanding the concepts of what needs to be protected.
“The government spent a lot of money training me on all aspects of security,” he said. “Those concepts of understanding the constructs of what you’re trying to protect, the criticality of it, the risks associated with those things. And then, how do you put programs in place?
“If you can operationalize that method, you can teach others to do it. You can develop very powerful programs that protect companies and organizations,” he added. “That base training that you get is so important.”
Leadership is key
The second thing the military instilled in him was the concept of leadership.
In the military, “you lead from up front, you find and create great leaders, and you enable them to go execute their mission space,” he said. “Being mentored by amazing people throughout my government and non-government career, and having to understand how leaders should really work when it’s a serious, life-saving program or mission space you’re operating in, being able to take that and teach that, I think, is the other thing that has made me successful.”
Major challenges facing CISOs today
Cloutier identifies three key challenges facing CISOs today.
No. 1 is filling the gap between security expert and business by developing business acumen, Cloutier said. “This is a business job, so security risk and privacy operations practitioners and executives need to understand what they’re protecting. How can you protect the business if you don’t know what they make, sell, deliver, how they profit from it?”
Continuing technical acumen is Challenge No. 2. If a company operates predominantly in the cloud, then a CISO had better know something about cloud security and containers and technology movement between cloud providers, he said. Capabilities have to change as technologies and enterprise operations do: “You should always be increasing your knowledge.”
Understanding what’s happening in your environment is key as systems get smart, with a lot of them self-defending. That means teams are going to be migrating from technical positions to analysts’ positions. “It’s a whole new job family. How do we train them, select them? That has to happen, sooner rather than later.”
Challenge No. 3 circles back to the leadership discussion.
“You have to adapt as a leader to the changing type of people coming into this organization,” Cloutier said. “The average age in my last company was half of my age. They don’t think like I do, consume information like I do. You have to engage people where they’re at, where they think.”
Trends in cybersecurity
Organizations are moving their programs out to cloud providers, which is a positive development because there are innovations in cloud capabilities that didn’t exist before, he said. That requires CISOs to take responsibility to take advantage of the cloud. “Cloud migration will be a continuing learning experience and issue for enterprises as they do that.”
Another important trend are the golden nuggets that technology companies are pulling from massive amounts of data, Cloutier added.
“Being able to show and prove how we use data is going to be one of the most leapfrogging events in cyber defense operations in the next five years because of the continuing developments around machine learning capacities and advancements in artificial intelligence,” he said.
Giving back
Giving back is a major imperative for Cloutier, whether by guiding a young neighbor into a high school mentoring program, or training people on his team, or mentoring people outside his organization. “It’s a lot of little things, but if we each do them, it becomes a massive effort.”
“If you accept mentorship, and you accept feedback, and you can take that and convert it into how you act and move your experience forward, you’re going to be very successful.”
New horizon
Cloutier recently announced that he would be transitioning from his role as global chief security officer at Tiktok into a strategic advisory role, focusing on consumer security initiatives and how they impact the business.
Stepping back and not doing operations any more is going to require re-education, he said. “You can’t just turn it off. … You’re wired to solve problems. … That’s how you are.” In his new job, “it’s a different focus,” he said. “Getting back to that part of why security is important for business.”
Kicking back
People have to make the time to detach themselves from work, Cloutier said. He’s an outdoors type, and likes to spend time on his daughter’s farm, where she runs an equine program. He also enjoys fishing and semi-competitive shooting, and recently started hiking, most recently in the White Mountains of New Hampshire. Reading books that aren’t work-related – Tom Clancy is a favorite — is another outlet.
“People have to find the thing that disconnects them so they’re not thinking about work, they’re not looking at their iPhone or their devices, that they can totally get into, and get out of their head space and give themselves a little bit of rest.”