A conversation with Tim Callahan, chief information security officer at Aflac. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Tim Callahan: Tim Callahan joined Aflac in 2014, bringing more than 30 years of experience in information and physical security, business resiliency and risk management. Since being promoted to his current role in January 2016, he has been responsible for directing Aflac’s global security strategy and leading the information security, business continuity and disaster recovery functions across the company, prioritizing security initiatives and allocating resources based on appropriate risk assessments. He holds multiple certifications, including CISSP, CISM and CRISC.
What makes a successful security leader?
Callahan: The successful CISO must have strong leadership skills, effective communication skills, and a spirit of cooperation, collaboration and flexibility in how security objectives are met. CISOs must have a firm grasp on essential security principles and requisite capabilities, while also being creative in how those are met in various environments.
Most importantly, CISOs must understand the business they are serving and ensure they and their teams are supporting and enabling the business. They require the right blend of risk management skills, experience in implementing a total information governance discipline, strong understanding of information security structure and frameworks, and experience making a framework operational. Additionally, the key tenants of business resiliency are emerging as a critical skill for the modern CISO.
In short, it’s the ability [of the CISO] to understand the strategic direction of the company (or organization) and to integrate that strategy into the security program, while casting vision and influence at all levels of leadership and to team members in order to see the vision realized.
What internal and external priorities should today's security leaders focus on?
Each company has its own unique risk profile depending on its business model and industry. However, the latest Verizon Data Breach Investigations Report noted an increase in non-malicious data leakage events in the financial and insurance sectors. This suggests that during this time period more mistakes were made in digital environments. This serves as a reminder to pay attention to age-old fundamentals like change management, preproduction testing and release protocols. These fundamentals may not be as exciting as working on the latest threat intel platform or SOAR (Security Orchestration, Automation and Response) implementations, but our job is to protect data.
From an external standpoint, ransomware continues to be a leading threat. There are many technology solutions to help detect and render these attacks inert, but, from the human behavior standpoint, we have to work to educate employees more effectively and find ways to help them detect fake emails, links and websites. Changing human behavior is difficult, so we need to be more creative.
How can cyber leaders work with corporate peers to win buy-in from c-suites and boards of directors?
Today, most people understand the need for a strong cybersecurity program, so it is easier to get buy-in than it used to be. However, this doesn’t mean that CISOs can just expect it. CISOs must be collaborative and cooperative, and ensure that they are providing business value. Now, more than ever, security leaders must be proactive in developing secure protocols for IT and digital partners to build on securely. When the digital strategy calls for moving to the cloud, security must take the lead to build out a secure set of guardrails and automated security controls to make it as fast and easy as possible to do so.
CISOs can’t just issue standards and throw them over the wall. Security leaders must understand the financial structure of the company, how profit is generated and the challenges the business faces in achieving success. With this knowledge, CISOs must voluntarily be part of the solution. COVID has challenged many businesses either directly or by effecting their business channels. Security leaders must be aware of how the pandemic has affected the business and proactively work with the leadership team to help — all while ensuring a secure environment in which to do business.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
While dependent on the nature, size and complexity of the organization, technology skills remain essential but become less important in larger teams and organizations. The leader must maintain enough technical skill to understand effective security capabilities. Security leaders must know how to find, train and retain an effective team, understand business principles and financial aspects, and provide sound leadership up, down and across the organization. Leadership is about influence — gaining and maintaining influence.
So many things in the landscape are beyond the control of the security leader. It is imperative he or she can nimbly navigate complex organizational dynamics, possesses strong communication skills and has the ability to maintain the same message but tailor it to audiences inside and outside the organization. In larger organizations, the security leader must learn and be effective in leading leaders. The transition from managing managers or managing teams to leading leaders is not always done effectively. CISOs must cast the vision and strategy, equip and resource our leaders, and then let them lead their teams.
What attracted you to join the Cybersecurity Collaborative as an Executive Committee member?
The most evident value is collaborating with other security leaders. We learn from each other, and building an organization that facilitates that is valuable.
What do you value about Cybersecurity Collaborative’s Executive Committee?
ISACs are focused on their industry, and the commonality of threats and issues affected in that industry. This is very important because the industry shares the same, or similar, regulatory environments and threat actors. Many CISOs stay within their industry and do not draw from cross-industry issues or capture the lessons learned from other industries. The Collaborative is a cross-industry information and solutions sharing forum where we can gain from each other’s experience and learn from the different perspectives.