It starts from the search
Sometimes it’s the simplest things we happen to do that change the course of our lives. For Jason Witty, it is typing a four-letter word – “hack” – into a search engine bar that led him to a career, no, a life, in information security.
That search turned up results for 1,300 documents. The impressionable Witty, then only a teenager, printed out all of the pages.
“For the next three or four years, I read them all.”
‘Quite the tinkerer’
Witty’s father had a government job in experimental technology. In the 1980s, Witty got to see the predecessor to the laptop – a really big computer. “We had an acoustic coupler modem in the house and he’d be connecting to all kinds of government systems from that, and I just thought that was fascinating.”
Indulging his curiosity was not a new thing to Witty, who grew up just outside the Langley Air Force Base. “I’ve always been quite a tinkerer,” he says. He was 10 or 11 when he bought an entire pallet of surplus equipment from NASA-Langley. By the time he was 12 or 13, he had multiple bulletin board systems, multiple computers hand-built from wire-wrapped Radio Shack kits and parts.
“By the time I got to high school, I was pretty handy with technology in general,” he says.
Small wonder that a few years later, he started working for NASA as an electronics technician. He had fond memories of this job; the engineers played a lot of practical jokes on him. He continued his on-and-off stint at NASA as he juggled school and worked multiple jobs. Witty studied electrical engineering, but also took plenty of computer science and psychology classes.
In 1997, he moved to Chicago to work for an insurance company – his introduction to the finance sector where he remains to be, now as the CISO of U.S. Bank.
Beyond the basics of compliance
Being a CISO is one thing, and being a CISO in a specific sector is quite another. As the CISO for a financial services company, Witty says audits are very much a part of the job. In a year he gets 72 audits and has to comply with 43 different versions of federal legislation rules or guidance that financial services companies have to abide by in information security.
He has to maintain the decoder ring and maintain relationships with all the various regulators. Internally he has about 650 people directly under him. He presents to the board of directors and the risk management community at least four times a year.
“You have to be an expert in all of the industry-wide complexity first, and then be an expert in information security, because we all know that being compliant does not mean being secure.”
From the base that is compliance, a financial services CISO will, above that, have to work on actual information security. “You have to be able to keep up with the threat environment that’s always changing and unknowns that are going to be coming at you constantly and new types of weather that hit our planet every quarter when none of the old types of weather ever go away.”
Pretty overwhelming, but then again there’s something else yet – the need to be “a seasoned business executive, speak Klingon to your team and english to everybody else, and be able to be innovative and enabling the business at the same time.”
That’s a lot on a CISO’s plate, and more than that, the role is constantly changing. Over the past few years CISOs have seen additional budget and funding, or increased visibility with the board and the board committees, or a change in organizational nature where the CISO is becoming a peer to other C-level executives whom they may only have reported to in the past.
Not science fiction, but science fact
As a CISO, Witty has a fairly clear view of where information security is, where it appears headed, and what challenges it faces.
He acknowledges the lack of supply of professionals across the board, and not just for CISOs. “Conservatively, there are extreme, negative unemployment rates for information security professionals.”
He also believes that the world is seeing a faster pace of technology-related change. “We’ve been using the word unprecedented for multiple, multiple years now, but we really are on the precipice of an exponential type change in the way that technology affects our lives,” he says.
As a result, there will be “a corresponding change in the way that we have to think about, not just internet security, but also internet safety, as we connect more and more things together, and as machines are making more and more decision that directly impact our lives.”
Information or internet safety, he believes, is not as mature as it should be given how fast the Internet of Things has been exploding. “We’ll see that there will be, increasingly, more safety concerns with software as it’s connected into the human body, as it’s connected into devices we are using, as it’s connected into cars that are driving us around.”
Witty injects some vocation into his work and gives back through involvement in community groups, information security associations, and volunteer work. Currently he is chairman of the Financial Services – Information Sharing and Analysis Center, and vice chairman of The National Technology Security Coalition.
Given these immense responsibilities, Witty describes himself as deliberate in his personal time. “If there’s no need to be working, I won’t be,” he says.
He saves his weekends to spend with his wife and three children – aged 14, 12 and six. Two of the three children are in martial arts, one of the three is in American Ninja Warrior training and all three of them are quite tech savvy.
Witty also just also got his third-degree black belt in Korean Hapkido – something he had been aiming for over the past four years.
He says he’s in good company in his martial-arts pursuits. “The C-level executives that I run across all share that trade in common. That they’re very well polished business executives in general, but they also have a very clear definition of what else they do, and there’s always some aspect of relaxation, vacation, mental check out, as well as some aspect of fitness in one way, shape, or form.”
There’s a running joke about him at work, Witty says. His perspective is sought for three specific things: information security, martial arts or something fun to do with children on the weekend.
“If it’s not one of those three things you might not even bother asking my perspective, because I’m just gonna have no idea.”