CISO, United Technologies
Daniel Conroy never expected to be a CISO. He never expected to be in America. He was a rugby playing, triathlon-competing lad from Ireland, who came to the United States for a brief stint with a semiconductor company, using his background as an electrical engineer. Seventeen years later, Daniel, his wife and children are living in Stamford, Connecticut where he is a much sought after CISO in the industry.
The Triathlon of Cyber Security
As his background in rugby and triathlons attest (he took up triathlons because they were easier on his knees), Conroy is fiercely competitive. As a CISO, he realizes that his opponents are trained well-funded and well-connected cyber criminals – and that’s an understatement.
Conroy’s past harkens back to the days when information security, or the more archaic term “computer security,” was part of a job function, and not its own function. “Back then,” Conroy said, “using a Super Bowl analogy, it was 11 defenders facing 11 attackers. Things have changed. It’s still 11defenders but now they have to face the entire stadium. Our approach to security has had to change.” Conroy said.
Conroy gave an interesting analogy, “Information security is like a triathlon, or an Ironman competition. When you’re competing in an Ironman race, you can’t change the weather, you can’t change what the competitors are learning or practicing. It’s the same in information security.”
Conroy believes that “It’s about your own preparation, the tools, training, education, practice, patience and collaboration. In a triathlon, you can’t control the externalities; just like in security you can’t control the threats. You can just be aware of what they are, analyze them, respond proactively, and learn from them to be better prepared for the next attack.”
“On the day of a triathlon competition, when you come out of the water, you have to go with the flow. If your bike gets punctured, you have to fix it. Essentially, you have to deal with several unknowns during the competition. You can’t change or control many of these things. Being a CISO is very much like that. Study the cyber landscape, build a solid strategy, prepare and practice, and adapt to ever-changing situations to fight with the unknowns. That’s what makes the job fun and interesting. A triathlon is a sport that aligns well to my personality as a CISO.” Conroy added.
It Takes a Team
Just like you train your body and mind for a triathlon, training and readiness are important for Conroy as a CISO. It is not just about knowing what technology solutions are available. It is also about the people on your team. Conroy decries the lack of sufficient skilled information security professionals. “It’s going to be a real problem going forward. Not just for us, but for the nation and ultimately the world,” he said.
So, under Conroy’s leadership, he has always been committed to helping his team get the kind of training they need to succeed. He is an avid supporter of educational programs and he has also worked to sponsor academic information security research.
The Long Run
Working as a CISO is not for the faint of heart. Every day there’s a new challenge; something that demands your immediate attention that day. It’s all too easy to get caught up in the minutia of the day-to-day. But Conroy is looking beyond that. “At my job, at best I have time to think three years ahead, five years ahead.”
As a CISO, Conroy sees his role as more than simply securing the data. Everything is linked. Physical, data, and business operations. That’s why he has built and is an advocate, when it makes sense, of state-of-the-art monitoring centers that manage and integrate more than just the data traversing the organization.
He believes in allowing the physical security people to gather information, examine video surveillance, and look at intelligence feeds. Everything is integrated. “It’s not a NOC or a SOC. If you look in most cyber-mature institutions you have physical security, information security, fraud and other disciplines working together as one team. Other companies have an opportunity to join those worlds.” Conroy has led the implementation of such fusion models and has become a model for other CISOs, both in the financial services industry and outside.
Like Humphrey Bogart’s character Rick Blaine in the classic Casablanca, who came to the desert city “for the waters,” Daniel Conroy came to the United States 17 years ago for the weather. A wife, two kids and a Connecticut mortgage later, he’s still here, prepared to weather anything.
Being a CISO for major institutions requires good strategy, planning, bursts of energy and long-term durability.
Sort of like a triathlon.