A conversation with Jason Witty, head of cybersecurity and technology controls, and global chief information security officer for JPMorgan Chase. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Jason Witty: Jason Witty is head of cybersecurity and technology controls, and global chief information security officer for JPMorgan Chase, where he is responsible for the firm’s cybersecurity, technology controls and resiliency programs. Witty has 25 years of information technology experience, 23 of which are focused on information risk management. A certified information systems security management professional who has held major leadership roles in information security, he was the CISO at U.S. Bancorp, and senior vice president and cyber threat services executive at Bank of America. Witty serves as chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and previously was the sector chief for financial services in the FBI Chicago’s Infragard program.
What makes a successful security leader?
Witty: I believe it boils down to three things: leadership, learning agility and adaptability.
On leadership, we must be inclusive, equitable and proactive leaders who maintain a growth mindset. Only a highly diverse team can combat highly diverse threats — but we also can't stop everything. So, as a result, we have to take a risk-based approach that manages the highest risks with the most resources, and also allows for failure to happen and learnings from those failures to improve the overall control environment.
On learning agility, cybersecurity threats have been increasing in sophistication, velocity and volume for many years. The technology landscape we are trying to protect is also constantly changing. In such an environment, I spend the first two hours of every day digesting what changed since I went to sleep the previous night. This mode of constant learning is a must.
On adaptability, we all know that we are never “done” in cybersecurity. But, as an industry, do we consume all the intelligence sources that we should? Are we paying as much attention to changes in our business strategies, technology innovation, third- and fourth-party outsourcing, and customer experiences as we are on threat intelligence? There are many more sources of change we have to digest and adapt to concurrently.
What internal and external priorities should today's security leaders focus on?
Of course, our primary objective is to protect the firm we work for, and its customers and stakeholders. However, as many companies are adopting modern, software-driven, virtualized environments at an increasingly rapid pace, we must also prioritize and resource the safe enablement of those technologies. We have to adapt to new ways of thinking, operating, controlling and automating in this environment.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
How each CISO builds credibility with the C-suite will vary — but it is crucial to do so. Some questions all CISOs should ask themselves are:
- How can I add value to my employer's business?
- Are there customer journeys I could make better with more modern but still secure and transparent controls?
- Am I spending my budget in the most efficient way possible?
- Do I have the right talent on my team?
- Am I making the right hard choices?
- Are my business cases in "kitchen English" and directly tied to a risk or negative outcome that could happen if not better managed?
- Do my business cases make good business sense?
- Am I hyper-tactical in the day-to-day details but equally consistent in having a perspective on strategic developments (site reliability engineering/DevSecOps, cloud, artificial intelligence/machine learning, edge computing, trusted computing, quantum encryption, etc.) and how my skills and the skills of my company will need to adapt?
What kinds of non-technology training do security leaders need to have to be successful in large and/or global enterprises?
The CISO of the past won't be the successful CISO of the future. Security leaders must create an ecosystem of constant learning and agility. We have to become CIOs in a modern software environment, with security as our primary use case. We have to understand product-driven customer value and link security backlog into customer journeys.
We have to think about eradicating “educate, set, verify, fix” processes with more highly opinionated self-healing and automated software processes. We also have to simultaneously maintain intelligence on our regulatory environment, changing business strategies, customer/stakeholder demand/expectations, emerging global standards and practices, technology innovation, evolving security technologies, and the cyberthreat landscape. We have to do all that while ensuring we surround ourselves with those who have deep expertise in each of the emerging areas we need to handle.
Personally, I read two to three hours a day, participate in every industry group I can fit in, try to read some form of leadership book per month, deep-dive into a new technology every month and try to attend formal training one to two times a year.
What attracted you to join the Cybersecurity Collaborative as an Executive Committee member?
I was attracted by the opportunity to collaborate in a peer-to-peer setting without vendor sponsorship to bias outcomes or introduce sales pressures. Being an Executive Committee member allows me to validate that I am leading the industry in the cybersecurity market by understanding what other companies are facing and how they are solving the challenges. I also benefit from being able to participate in virtual task force projects and learn what other companies are doing to address current cyber challenges. By joining the Cybersecurity Collaborative, I can provide guidance to communities and companies, and help them build a more secure digital environment.
What do you value about Cybersecurity Collaborative's Executive Committee?
The Collaborative is less about threat intelligence and more about collaboration inclusive of all industries, minus the federal government. It provides a network of peer CISOs who have committed to engage in response to emergent needs of the community, as well as a unique vantage point thanks to the diversity of its member organizations.