The Cipher Brief spoke with Michael Howard, Microsoft’s Chief Security Officer (CSO), to get his thoughts on how the job of CSO has changed over the years. Prior to joining the private sector, Mike spent 22 years at the Central Intelligence Agency.
The Cipher Brief: What are the biggest changes you’ve seen to the security industry, particularly as cyber threats have overtaken more traditional security threats?
Mike Howard: As you might expect, an answer coming from Microsoft’s CSO would undoubtedly focus on the impact of technology on the security industry, and technological change continues to be an opportunity as well as a challenge. The rapid pace of change with advancements in innovative technology has certainly shaped the threat landscape that we, as security professionals, face today. There have been a number of well-publicized cyber attacks in recent times, and the emergence of cyber crime has certainly come to the forefront.
This has driven change in the security industry in many ways. At a leadership level, we are seeing the profile of senior security positions evolving with many joining from outside the traditional security channels. Previously, many subject matter experts came with law enforcement, police, or military backgrounds. Now there is a greater emphasis placed on business acumen and other skills sets, such as finance or operations.
The quickly growing threat environment drives a need for increased collaboration, not just between the physical and logical security functions within a company, but also between other lines of business. With this comes a greater reliance on the security professional to better align with the business and become more strategically integrated as well. With this focus, we are seeing a stronger push towards governance, and greater involvement by physical security organizations in a company’s enterprise risk portfolio.
TCB: How does ASIS help its members stay ahead of the security curve and anticipate what’s next on the horizon?
MH: From a personal perspective, the first element is the educational aspect that ASIS provides. As a long standing member of ASIS, I have witnessed and experienced first-hand the positive impact the ASIS organization has had on keeping security professionals current on shared best practices, new technologies and the opportunities to discuss new challenges. It provides a platform for continuous learning opportunities for all levels of security professionals. I say this both as an attendee and as a contributor to many of the sessions. Participants have the chance to listen and then ask questions to subject matter experts on a wide variety of existing or emerging security topics, gain insights, understand best practices and learn from others’ experiences. This is invaluable in keeping an eye on the horizon.
The second aspect that I would highlight is the great networking opportunities. The truly global outreach that the ASIS organization has via its chapter membership enables it to bring together security professionals from all over the world. With strong international attendance, facilitated forums, such as the CSO Roundtable, create the ideal opportunity for an enriched information exchange - providing diversity of thinking for CSOs and their direct reports.
TCB: How important is the public-private partnership to CSOs and other security professionals, and what can be done to improve the connectivity between government and the private sector?
MH: As CSOs, the relationship between the public and private sector is vital and needs to be strategically approached. It is essential that the public sector have an understanding of the main, industry-specific risks to the private sector. Conversely there has to be an appreciation on the part of the private sector as to how much the public sector can deliver and, ultimately, what you need to do for yourself. With these two aspects in mind, I ask my team to focus on communication and transparency with the public sector. The sharing of information and frequent two-way dialogue is key in developing a mutually beneficial partnership for both entities.