Working with a mentor who understood that security must be viewed within a broader lens was formational for Brett Conlon, CISO at American Century Investments.
After doing web development and data development during the dot.com era, Conlon moved to the U.S. Missile Defense Agency, where he was responsible for security servers and worked on program management. That led him to the FBI, where he spent 10 years working on national security and cyber defenses. In the private sector, he created the security program at Edelman Financial Services before moving several months ago to American Century.
“When I started in my career, I had the ability to work for some great leaders, and at the FBI had the good fortune to work with someone I consider to be one of the greatest mentors to work with,” Conlon recalled.
“He was very good at letting us fail, providing us top cover when we did. And he always told us to understand the business and not just develop or try to look at things from our lens, but the business lens and what we are trying to achieve.”
Understanding the business
In that case, the business was the FBI, but Conlon’s experience there provided a nice segue into private industry.
“Understanding the business so we can provide the right type of security strategy is my business,” he said. “And so we develop the right risk tolerance and build innovation programs around that.”
The biggest innovation he’s leading is redefining how risk is regarded, including explaining to the business side the added value that cybersecurity brings to the company’s bottom line, brand and reputation, he said.
He defines his role as “chief educator around all things security and risk, and making sure everyone understands it’s a company-wide responsibility.”
Risk and threat lens
“Part of our innovative strategy is making sure that everything we bring out really has that risk and threat lens on it already, and creating a way for our users to engage with us and our employees so they feel like they are part of the solution.”
Conlon is looking at department scorecards and individual scorecards so the business can now see the risks it’s bringing to the company, and what it can do to resolve those risks.
“That’s our unique approach to it, and it seems to be producing the correct conversations, producing the corrective actions that we want to see.”
One of the biggest challenges CISOs face right now is the very rapid pace at which the risk and threat landscape is evolving. It’s a challenge to keep up with that and build programs that are scalable and can help the business grow, Conlon said.
Malicious nation-state activity is on the rise, with cyber warfare playing out between Ukraine and Russia, Iran and Israel, and in China, he said.
“The pace at which that is evolving, and the pace at which risk and how we manage it is evolving provide a big challenge for us,” he said.
Supply chain risk is another challenge because there’s not a lot of transparency in supply chain risk management today, he said.
American Century is evolving continuous monitoring programs for third parties. It’s also looking at how frequently third parties are being evaluated and how risk rankings are given to third parties so it can figure out how to represent the risk correctly to the business, he said.
With the security landscape changing so rapidly, Conlon puts a premium on making sure his employees are continually growing and learning.
“It’s my job to make sure our team is as marketable as possible by continuing to develop, nurture and foster them in their educational pursuit of the ever-changing cybersecurity landscape,” he said.
That professional development creates a culture where they want to stay, he said. And while Conlon isn’t experiencing talent shortage problems, he thinks they could be mitigated industry-wide by loosening the requirements for candidates.
“We don’t really prescribe ourselves to X number of years of experience, or this type of cyber degree or master’s in computer science,” he said. “We’re really focused on the ability to learn, and how quick they pick up on things. The rest of it can be taught.”
The company also has built a strong internship pipeline to bring in talent, he said.
“With labor shortages, a connected workplace, and a landscape that is evolving at a rapid pace, I think it’s the CISO’s job to build out a very innovative, welcome and welcoming program that attracts talent and keeps that talent,” he said.
Another piece American Century does well is making sure that security isn’t kept behind the scenes, Conlon said.
“We do a really good job of making sure our employees are aware of it, that we’ve created an active engagement, and that the security team itself is very engaged in the different areas of the business,” he said.
Conlon is an active mentor. He works with aspiring cyber practitioners at the Air Force Academy, and at his kids’ school, he educates pupils about cyber safety and gives guidance to youngsters interested in getting into the industry.
He’s also created partnerships with local colleges and the police in the past, and is looking to establish those partnerships again in his new home in Naples, Florida.
After hours, Conlon volunteers as a soccer and flag football coach for his children, and does paddleboarding in the ocean. He also takes early morning walks.
“That helps me sort of catch up on my day, get my time to take a break from work itself, and just focus on the simple things.”