An excellent place

Some people get to where they are by treading a neat, straight, and predetermined path, but not Fannie Mae CISO Chris Porter.
After training in pre-medicine and behavioral science, he joined a start-up, became an economist, manned an IT help desk, worked as an analyst and served as deputy CISO before landing his current role.
Passionately devoted to cybersecurity, in his more than three years at Fannie Mae Porter has fulfilled his role in “protecting the firm so that we can continue to put liquidity into the market so that people can buy houses.”

Evolution of a computer guy
“I had a Commodore 64 and I learned how to mess around with it and hack applications and video games,” Porter says of his youth. “My name would be flying across the screen along with the Apache helicopter that was part of the gunship game that I was playing.”
He went to college thinking he wanted to be a doctor, but first shifted to sports medicine before earning a degree in economics and psychology. All the while, he was “a computer guy,” one of the first students with a Unix account who used instant messaging to communicate with a friend from another school. But while he liked technology and had a knack for it, he never saw it as a potential career. “The only computer jobs that I was aware of were PC repair jobs.”
After college he worked for a while at an Internet startup, then as an economist, and then manned the IT desk of a law firm. It was at this firm that Porter had his first taste of security, working with the engineers on Check Point firewalls. He then moved to the IT desk of a university, at around the time the SQL Slammer hit. “That really grabbed my attention,” Porter recalls, “and so I spent a lot of time learning about security.”
At a security start-up Porter picked up consulting skills, specifically the importance of a risk-based approach to security. He then worked on risk prioritization, and joined the research team for the much lauded Verizon Data Breach Report. “That was just completely eye-opening,” Porter says. “That was probably one of the most fulfilling parts of my career…Security people today still are just starving for real data from which they can make good decisions.”
The job called for Porter to speak before numerous CISOs, giving them data breach report briefings, answering their questions, and getting a peek into their concerns from a corporate viewpoint.
He then joined Fannie Mae as deputy CISO. “I thought that was an excellent opportunity to learn how to be a CISO without having all of the weight of the CISO responsibility on your shoulders,” he said. His boss, however, left two years ago, and Porter stepped up to the role.
“It’s great to have that background of reading and researching, understanding how companies have cyber incidents against them and how I can take that information and put it into practice,” Porter says.
“You have two different views of how to get things done and there’s a perspective on one side that thinks that these things are easy, but once you’re actually in the thick of it, some of these things that appear easy are actually quite difficult to do.”

The importance of mentors
According to Porter, having mentors has been one of the most important things in his career. “At every stage, I’ve had people that I could lean on for guidance, almost like coaches, who help me with decisions, how to think about certain things.”
Peter Tippet, for instance, created one of the first antivirus tools which became Norton antivirus, at a time when Porter had just decided to go into security. Wade Baker, who was also at Verizon, brought him onto his research team. “He’s an incredible guy to learn from,” Porter says of Baker, adding that they continued to work on other projects after the report was published.
James Routh, now CISO of Aetna, is also a mentor. “I’m constantly just trying to learn from him, because he’s so experienced and so we trade stories and share all the time.”
Porter now tries to repay his benefactors by mentoring aspiring CISOs or others in his company who are looking for their next challenge. “We talk about their career, what they should work on, what are the next steps,” he says.
The CISO community, he notes, is all about mentoring. “We’re such an interconnected group of organizations, it behooves us to make sure that the smallest of the group also has good security, because we’re ultimately, potentially, counting on them in some form or another.”

A complex, evolving role
The role of a CISO is asymmetrical. The demands are more complicated than separating the good guys and the bad guys. The latter only have to get it right once; the former, all the time. “CISOs also have to protect [their organizations] not just from the attacks that are happening now and every attack that’s ever happened, but all future attacks that we don’t even know about yet.”
It’s complex. Things are never simple, Porter says, and there are constant trade-offs. For example, a company can be behind when it comes to patching, not because they failed to patch, but because patching has its own effects and computers are needed to fulfill market needs. The CISO is forced to weigh the consequences of putting patching on hold until the secondary effects are addressed.
Security also means dealing with “negative externalities.” An example would be software updates. Ideally, companies would always like to update software for best results, but they have to wait until the vendor comes out with a patch. “You can have an exposure that you now have to put other mitigations around in order to cover those potential gaps, and that makes it very difficult,” Porter says.
It is ever-changing. It is evolving over the years differently from organization to organization. Porter notes that being a CISO is all about “making trade-offs between investments that you’re making and that is ultimately about which risks you’re choosing to mitigate over other risks.”
This demands an appreciation of how business and tech intersect. “Ultimately, the CISO needs to understand the business: What drives the business, what drives your revenue. You have to understand business processes and how your security processes and other things affect those or make them better,” Porter says.
“If you’re more operationally or technology focused, then maybe it’s harder to pick up some of the business things. And then sometimes for the business-type folks, it’s harder for them to pick up the more technological nuances. Some of the best CISOs that I know understand how business and technology interact with one another to where they’re creating business value and reducing risk for the organization.”
This relationship moves one to do more. There are many things in the job that keep Porter up at night, one of which is the supply-and-demand issue in cybersecurity. “I spend a lot of time thinking about how to improve that with some of the community work that we do, where we start at a young age,” he says. To do his bit he supports the GenCyber program, which educates the next generation, K-12th grade, about cyber security to increase diversity and interest in the field and to be part of the solution in filling the shortfall in the cybersecurity workforce.

Family time
Outside of his job, Porter tries to spend quality time with his family – bonding with his two boys who are almost six and almost three, and, as he jokes, “annoying” his wife. He tries to find the time to swim for exercise, saying that when you have small kids and a demanding job, it’s not always easy. “The computer guy” is also an avid sports fan, specifically of basketball and football.
In all, he believes himself to be “in an excellent place.”
It was his father who gave Porter the ultimate validation. “He told me: ‘When you went into security, you made a really good decision, because it’s becoming so important today.’”