There’s an extremely high degree of learning agility that every CISO needs, and a high volume of change that the CISO needs to anticipate and be aware of.

Jason Witty is a martial arts polymath. He has a 3rd degree black belt in Korean Hapkido. He does Japanese sword fighting. On weekends, he practices the Israeli self-defense and fighting system, Krav Maga.

That martial arts sideline has come in handy for his day job as CISO of the United Services Automobile Association, a Fortune 500 diversified financial services group of companies.

“People ask me if I’ve ever had to use it in my CISO world, and I tell them, I use that training every single day,” Witty said.

“It’s the discipline, the order, the ability to stay cool under pressure, the ability to know that an outcome is possible and know what tactics could and should be deployed for any given situation,” he added. “So yeah, I use it every day.”

Today, Witty’s No. 1 challenge as USAA’s top security chief is digesting, internalizing and institutionalizing the changes that are happening every day. And they’re myriad, whether it’s regulatory changes, compliance regime changes, emerging technologies and legal changes, or changes in the threat landscape, adversarial tactics or geopolitics, he said.

“I spend roughly two hours every morning just digesting what changed since I went to bed the evening before so that I know what I need to account for just that day,” he said. “There’s an extremely high degree of learning agility that every CISO needs, and a high volume of change that the CISO needs to anticipate and be aware of.”

As an example, there is a lot of hype now around quantum computing, so CISOs need to move off encryption algorithms that are not quantum resistant, Witty said.

“It takes a long time to move the internet off of vulnerable technology,” Witty said. “Up to 40% of the internet is still running old infrastructure. As CISOs, we have to start thinking about things that are not just right in front of us, but are three, five or 10 years out, because there are certainly risks that will take us a decade to manage.”

 

Witty started his career as a Unix systems administrator for NASA back in the early 1990s. Hackers were constantly breaking into the systems, so one day, he got onto ARPANET, typed in the word “hack” and found 1,300 documents. He printed those out, spent several years reading them while in college, and by the time he went back to NASA after graduation, he came on board as a Unix system security administrator.

“Security wasn’t a thing at the time, it was born more out of necessity, but that then launched into a number of other roles of increasing complexity over time,” he recalled.

These included a job as network security consultant at Allstate insurance, and various other security positions in financial services, including at Bank of America, U.S. Bank and JPMorgan Chase.

About a decade ago, he made the transition to reporting to the board. That’s when he realized that “there is a very massive difference between being able to speak publicly and being able to speak to a board.

“With public speaking, you want to be good at storytelling,” he said. “In a boardroom, you are there for corporate governance reasons. You have to transparently present risks and action plans associated with lowering those risks to ensure that you are adequately performing your fiduciary responsibilities as CISO.”

The Securities and Exchange Commission is currently formulating policy on how to ensure public company boards understand how security issues translate to an organization’s operational risk. In the interest of corporate governance, Witty personally prefers that every board director receive regular education on cybersecurity, rather than have just one expert – a CISO – on the board.

Since Witty entered the financial services industry in 1997, “the role of the CISO has changed quite a lot,” he said.

During the 20 years he was in Chicago, he ran an email distribution and dinner group for CISOs based there, giving him an opportunity to observe CISOs at a very practical and frequent level. By the mid-2000s, he was shocked to discover how so many people could hold the same title, but do such completely different jobs.

Today, while there’s still variability from industry to industry, he sees a lesser degree of variability overall than he did back in 2005, when CISOs were only responsible for setting security policy and had no operational responsibility at all. There’s a corollary with the evolution of the CIO’s role to becoming a business partner who helps with the bottom line and makes things more efficient, automated and digital, he said.

“The CISO is actually going through a very similar transition, needing to be somewhat technical and understand technological nuances, but at the same time, being able to translate whatever risks you’re managing in a truly risk-based language to the board or to the CEO or to the CEO’s direct reports,” he said.

“You have to really be a partnership-oriented person with a high degree of learning agility and a good executive presence within the board,” he added.

“But at the same time, you have to be able to manage risk well and grow a team, and build leaders who are going to build other leaders, and keep track of the ever-changing threat and technology environments.”

Read the CISOs Connect™ Magazine CISO Spotlight Edition here: https://bit.ly/3Z2tIGc