A conversation with Ashley Devoto, chief information security officer at Booz Allen Hamilton. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Ashley Devoto: Devoto is the chief information security officer at Booz Allen Hamilton based in Charlotte, North Carolina. A seasoned cybersecurity leader, she brings 17-plus years of experience as a cybersecurity practitioner across military, financial services, and professional services organizations.
Prior to her role as CISO, Devoto leveraged her cyberspace operations and strategy expertise as a client delivery executive to help Fortune 500 organizations design, build, and operate advanced cyber defense capabilities. Prior to joining Booz Allen, she served as a business information security officer at Bank of America where she was responsible for business enablement and cyber risk mitigation.
Additionally, Devoto served as a cyberspace operations officer in the United States Air Force, and has held multiple tactical, operational, and strategic roles. She led operations at the Air Force Computer Emergency Response Team (AFCERT) and served as a defensive cyberspace operations planner at 24th Air Force and NORAD/USNORTHCOM. As an active Reservist, she works on cyber force development at the Pentagon where she leads strategic initiatives for the officer/enlisted/civilian cyber workforce.
Ashley holds a B.E. in Computer Engineering from Vanderbilt University and a M.S. in Engineering Management from Southern Methodist University. She is also a Certified Information System Security Professional (CISSP).
What makes a successful security leader?
Knowledge is power — having a solid, foundational understanding of the cybersecurity ecosystem is critical. There is a misconception that a successful security leader needs to be specialized in one technical domain; however, having broad exposure across disciplines provides diverse perspective and enables “out-of-the-box,” creative thinking to solve the vast, complex problems we face in the cybersecurity field. This breadth enables a leader to identify interconnectivities, intersection points, and opportunities to innovate.
Coupling multi-disciplinary cybersecurity domain knowledge with business savvy and risk management is a differentiator for security leaders. Ultimately, cybersecurity is about risk management, and successful security leaders infuse that business context to translate technology risk into business risk. Consequently, they understand the linkages and have awareness of how security can support and enable business partners.
Lastly, successful security leaders employ highly transferrable skills such as project management, effective communication, and people leadership, which are required no matter what type of team you are leading. Cybersecurity is a team sport, so the ability to build a “coalition of the willing” across the organization with business stakeholders and partners is a critical success factor.
What internal and external priorities should today’s security leaders focus on?
For internal priorities, security leaders must understand their attack surface (including their supply chain ecosystem) and focus on visibility across the enterprise — because you can’t protect what you can’t see! In both public and private sector organizations, I have observed that there is still a need to focus on the fundamentals of cybersecurity. We must do the proverbial “blocking and tackling” with robust asset management and good IT/cyber hygiene. To build on the sports analogy, security leaders should embrace the principle that the best offense is a good defense. This principle applies not only in sports, but also in business and in cybersecurity. We should be ruthless in defense of our business by creating resilient systems and processes that are hardened to make the attacker’s job difficult. Through a strong defense, we can better combat and repel cyber threats and attacks.
For external priorities, there is an increasingly critical imperative of understanding of supply chain risk and how our connected ecosystem extends beyond the “walls” of our organizations. As part of that broader supply chain conversation, we should expand and accelerate public / private partnerships to work collectively and collaboratively to eradicate the sophisticated cyber threats that we are facing. I am energized by the ambitious whole-of-nation, interagency, and international initiatives that have been established and encourage our cybersecurity community to engage and be a part of the conversation to pool resources and think boldly about how we can neutralize cyber threats upstream by disrupting the threat actors’ infrastructure and ecosystems.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
This expands on the tenet of a successful security leader being business-minded and partnering with stakeholders. Security leaders cannot work in isolation and be effective in executing the cyber defense mission. We need to clearly articulate how cybersecurity is a business enabler and competitive differentiator by mitigating risks and protecting the institution and customer/client/employee data. Effectively communicating the return on investment is critical; cybersecurity can feel abstract and somewhat mysterious to non-technical senior leaders, so formulating and explaining the value proposition is key to gaining and maintaining the buy-in from peers, stakeholders, senior leaders, and boards of directors.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
I started my career as a cyberspace operations officer in the United States Air Force. My military service afforded me not only technical training, but also extensive training on leadership, problem solving, team building, and communication. I have leveraged this training extensively throughout my career, and I believe these skills are key to success for any leader to employ. In the cybersecurity field, time is always of the essence and the stakes have never been higher; when faced with dynamic cyber threats, successful security leaders must be willing and able to rapidly assess the risk, mobilize and coordinate response efforts, and communicate up, down, and across the organization. Training on how to think critically and quickly distill information can help leaders be nimble, lethal, and surgical through confident, structured decision-making.
Why did you join Cybersecurity Collaborative?
Cybersecurity Collaborative came highly recommended by trusted peers and colleagues. I firmly believe in industry partnership and engagement because we are all in this fight together! Forums like Cybersecurity Collaborative provide an opportunity to learn, pressure-test, and shape ideas, initiatives, and solutions in a trusted and “safe” space.
What is most valuable about your membership with the Cybersecurity Collaborative?
I value the opportunity to connect with peers to have authentic, candid discussion about shared challenges, best practices, lessons learned, and “war stories.” Cybersecurity Collaborative provides great resources to members, which I leverage regularly; notably, the curated daily intelligence digest and the library of materials, playbooks, and thought leadership. The facilitated discussions on emerging topics are timely, relevant, and actionable.