Challenges are what drive Jason Callahan. He pursued a career in cybersecurity over other areas of IT because the field required obtaining extensive knowledge on an assortment of technologies.
“You couldn’t just be a network specialist or an applications person or a process expert,” Callahan explained. “Not only did you have to be well-rounded but you also had to be reasonably deep in all those areas. It was an incomparable challenge,” he said. He also described his total enjoyment in finding novel ways to approach problem solving -- or rather, in hacking as he thinks of it.
Callahan’s latest challenge is developing the security program at Illumina, a San Diego company that designs and manufactures machines used for genetic analysis, where he’s served as CISO and senior director of IT Infrastructure and Operation since April 2014.
“The CISO role is the opportunity to totally steer the security direction of the ship. I’ve had the opportunity to start security organizations in growing enterprises more than once. That’s a really fun and exciting venture to take on.”
In this interview Callahan discusses why security translates to helping the company conduct business while reducing risk, why companies should avoid purchasing security products that try to solve all of their problems in one solution and how to talk to the board of directors about security areas within their specific business parameters. He also discusses the benefits of security professionals sharing intelligence with their peers.
I’ve been in security for 27 years, so the CISO role didn’t really exist when I started. Initially, the question was more about why security appealed to me and the answer is simply because it was the most interesting discipline in technology I could find. It required you to have an understanding of a broad set of technology capabilities and skills versus just one area.
Today, the CISO role is an opportunity to implement change, often within a very large scope. As you progress in your career, through any career track in the field, you hope to get more responsibility and to keep implementing change at a pace that you’re comfortable with. The CISO role is the opportunity to totally steer the security direction of the organization- big or small. That’s something I really enjoy doing. It is a really fun occasion to go from nothing, to something that you can be proud of developing. That’s something that’s always drawn me to that role.
When you go to start any security program, the first thing you have to understand is where the organization wants to be and needs to be. Understanding the culture is paramount. Make sure that your own risk posture and comfort level align with the business. That’s the most important thing because you cannot walk into an organization and say you’re going to make the security culture one level on a spectrum when the company wants it to be something else, unless it’s entirely where it has to be due to laws and regulations. In that case, you need to be a really good influencer to make that change. It’s not entirely your decision. I think you have to learn that through the organization as quickly as possible.
It is everybody’s responsibility to follow the policies and rules within an organization. It is also everybody’s responsibility to challenge and change those rules if they are not appropriate. The security officer is not the police officer of the organization. We have to work with everyone else to find the right balance. The way to avoid killing innovation is to listen to what the business needs and goals are. We have to use our own innovative ways to reduce risks while avoiding hindering business success.
I was once Head of Security and IT Operations at a financial institution that didn’t have wireless networking. This was some years ago, but it was a time when most businesses had a wireless network. I asked leadership why they didn’t have one and they said, “Well, the auditors really frowned upon it and there was a lot of questions.” Then they said, “And frankly, we haven’t had the time to figure out how to secure it properly.”
At that I just thought it was entirely their job to have had that basic tool. I realized I couldn’t cop out on that responsibility and that was obviously an easy win for me, just to bringing wireless to an organization. It was far from being innovative, yet it was an organization that had been held back by this and they simply didn’t realize it. My team was able to give that to them and obviously it was an impactful, success difference and they liked not only the change, but that we were able to manage the auditors because it wasn’t some crazy idea.
Finding a way to let the business do what it needs to get done and still reduce the risk to acceptable levels is also critical as with this example of the obvious need to protect information within a financial institution.
Soft skills are one of the most crucial areas of expertise to have in this role. We are not the sole drivers of the security culture of the organization. We need to understand what will work or not, within the framework laid out by the executive staff and the board of directors. Then, you guide the security team keeping the culture as a top priority.
I’ve been fortunate enough at a few organizations to get to interact with the board on a regular basis. The number one thing that I would advise is to be transparent and honest. Otherwise, the CISO alone is carrying the weight of the risk at the company. Many CISOs have a security posture that has less risk preference compared to what the organization desires. This causes both anxiety over the difference of opinion and it carries potential future clashing with the board and executive team if the CISO didn’t effectively communicate the optimum risk control when given the chance. If the CISO adequately weighs the risks out to the leadership team, then even if the they vote on a more risk taking set up, the CISO hasn’t missed the opportunity to share the burdens of risk management.
Absolutely. I often must share the bad stuff more than the good stuff.
Well, that may be a personal challenge of mine. I’m not necessarily as concerned with the pat on the back as I am with ensuring that everybody understands the risks that we’re currently taking. Based on our posture, I lay out the things I can do to mitigate the risks then ask directly, “Do you want those things or not?” My takeaway when I’m working with the board or the senior staff is to have conversations and give them examples to make decisions in the organization that I can use as a guide for steering the security culture.
I can take one or two good conversations and extrapolate that to understand how they want the posture of the organization to go. That is really what I’m seeking in those interactions.
The board is typically a group of specialists from different fields that are getting together to help guide a business. They are used to making risk-based decisions all the time. Do we invest in A versus B? Do we buy company A versus B? Do we divest of a business unit or not? They’re constantly making trade-offs; this is what they’re really good at.
On one hand, it’s probably good to give them the confidence that the CISO understands what they’re doing and that they’re managing the organization safely. On the other hand, you need to give them those risk warnings to consider, so that ultimately the CISO understands the direction that the board or executive staff really wants to go.
I use exactly the same tactics. The board is always a diverse group. Some of them may have a technology background, certainly many of them would not. They may have finance or other specialized backgrounds related to the business. The executives are the same. Regardless of the industry, the have a day job that’s about running their portion of the business successfully.
The security aspect is something that impacts each of them a little differently, but at the end of the day, the basic principles apply. These are the risks that your business area faces. This is what it would take, possibly, to change those risks. This is the potential benefit in reducing those risks or risk of having them. The CISO asks each what they would like done, then makes recommendations.
First up, the San Diego CISO community is outstanding. It’s been together for many years, and gets together very regularly. The way we’ve built the group is to be incredibly transparent and straightforward with each other. There’s a lot of sharing going on and we have an established comfort level. Everybody is really good at talking to each other.
The primary value is that you have CISOs at many different levels across many varying industries. We’re all solving similar problems. They’re different problems specific to the organizations at different times but they’re all similar. One day, I might walk in and explain how I presented a particular challenge to my board of directors and others may really get value out of my example for their next board interaction. Someone else may present a problem with malware and share about a tool or technique that was used that definitively reduced the problem.
That knowledge sharing back and forth and across all the different industries is incredibly valuable. I recommend everybody be a part of some kind of social sharing in the security community.
Within the group, we try to focus pretty heavily on people in the security management positions. We have the largest companies here in the San Diego community and also many much smaller, with younger security programs. We want to be as helpful as we can to them. We know that as a community, we are exchanging staff and management back and forth from time to time. We’ve all crossed paths with each other at some point. Stating the obvious, mentorship is really important because the leaders that I can help today are likely leaders tomorrow.
What would I look for in a mentor or what would I recommend? Definitely find someone who is balanced; the larger the organization, the softer the skills are required. Like many jobs, we may start out as a technical leader before we move up into management positions. If you talk to CEOs, many will tell you that their job is about people. They’re about hiring and finding the right talent and building the right teams to accomplish a goal, and a CISO’s role is no different.
Personally, I have a real focus on finding mentors that are very balanced, long term thinking and understanding of how to share risk information across the organization. In our role, it’s pretty easy at times to have events and ‘the fog of war’ can feel pretty extreme. We need to be ready and able to think appropriately, so having good mentors who can help us think big picture and calmly plan appropriately are pretty important to me versus fear and doom or scare tactic approaches.
I would recommend really good listening and questioning skills. If you don’t have the subject matter expertise, you’re going to need to rely on your people. Can they deliver the information that you need to share with the organization?
This is no different than large enterprise corporations. If you look at Fortune 500 companies, many times they will rotate out IT leaders throughout the organization, with the goal of having the CIO experienced by moving around the organization to fully understand the business.
Security should be no different, other than the broad technical skills that I mentioned that can be required. If you’re an IT leader and you don’t know a lot about cyber and you’re moving into that field, you’re going to have to be exceptionally good on the people skills. Do you understand what the performance levers are in the organization and in the team, and can you build the right team and trust them?
It has changed drastically. Remember, 20 years ago there wasn’t a CISO role. If you were the head of security for an organization, even an enterprise organization, you probably never spoke to the board of directors. In my last two organizations, I spoke with the board quarterly, so that’s definitely something that’s changed.
The other side is the impact of cyber awareness across the organization. Twenty years ago, or even fifteen years ago, product security, from a cyber standpoint was much less an issue. Whereas today, every developer and every program manager has to have an understanding of the security elements of a program. And, there has to be an understanding where security is going to plug into the process.
Now, there’s an element of a security role that’s being applied to everybody’s job in IT. Modern job descriptions contain security understanding requirements, or responsibilities across IT and even into other areas of the business where privileged access is required.
You definitely want to avoid getting down in the weeds, meaning avoid the technical details. For example, the board is not particularly interested in why this configuration or that configuration is not working or how many Windows 7 boxes you have left in the organization.
The board’s main job is to assess the CEO. However, they also evaluate if other parts of the organization are running effectively. From the CISO, they want to know that we have a larger program in place and that we have the ability to measure and assess our program appropriately. They also want to see that it is right for this specific organization and how it compares to others. They may want an industry standard model that they could compare to other organizations of similar sizes from the CISO.
We’re a very traditional manufacturing company to some extent. We do have a SaaS-based software offering. Even then, with a SaaS-based software offering and this instrument, which is incredibly complicated, I don’t see the value in my team being part of the product roadmap discussion about future products.
My team designs product security for our instruments. We provide requirements into new products. We provide assessments and other things to help increase the security of our products. I don’t need to be involved in the product roadmap planning as that is business decisions. My role is to manage the risk to help make it happen.
Cybersecurity is not the goal of the organization. The goal of the organization is to unlock the power of the genome and develop that technology. Protecting that technology is an important part of it, but that’s just one piece. Supply chain, delivery, manufacturing, research and development, financial management, all of those things are critical to the operation running. Cybersecurity is useful to protect your interests and align with regulations across all of those areas.
I have a few rules. First, like most teams, I like to demo technology in my environment. I like to see it, touch it, feel it live. How does it fit into my organization? Like most enterprises, I have a very diverse environment, so it’s really important to me that the tools can all communicate with each other.
Second, my big one is and what I directly ask of vendors - I don’t want them to try and solve all of my problems. I want them to try to solve the problems that they believe they’re really good at and make sure they interact well with the rest of my ecosystem. When a vendor comes to me and they want to solve all my problems, they’re not the right one for me.
Third, is the lifecycle management approach. I encourage my team to take tools, leverage the value out of them by reducing the risk in our environment. We stay conscious that we bought tools that were really valuable when we got them and then we used them for a period of time to understand what they were solving, and we reduced risk. Then, discard the tool when it is no longer useful and we move on to another investment.
That’s right. You have to because our risks are constantly evolving. Today’s market leader is dead tomorrow. Traditional antivirus owned the market for 15 years and now they’re struggling because new product technology came along and disrupted the space. If you just keep paying for all the old stuff, you’re just burying your budget in things that are less and less effective. You have to be constantly retooling to be at the highest effective level.