As the New Year approaches, we sat down with Lisa Young. As part of Axio’s leadership team and VP of Cyber Risk Engineering, we were eager to discuss the evolution of cybersecurity maturity into 2021 and our exciting world of risk management.
This summer, Lisa caught the attention of a DHS task force set up as part of Operation WarpSpeed, to help the medical supply chain better tackle cybersecurity security concerns that have been amplified by the COVID crisis. She was offered an important role on the task force. And just recently, Lisa was elected to serve on ISC(2)’s board of directors and will bring her broad industry experience to lead innovation and thought leadership to the world’s largest non-profit for information security professionals.
The following is a transcript of the discussion
Tell us a little bit about how you got into the world of cybersecurity.
I’m a network and voice engineer by training. I did everything from pulling cables, installing servers, to writing software. But I was never just a coder. I was more involved in infrastructure, transmission and telecommunications. Information security was always part my job, long before cybersecurity became a hot buzzword. We’ve always had nefarious actors and it was important to protect the enterprise and its infrastructure against them. When I started in this field it was more about availability events that would disrupt the operational technology from functioning rather than preventing threats and managing risks.
How have you seen cybersecurity buzzword gain adoption?
I think we evolved organically as digital transformation became integrated into mainstream business operations. We’ve shifted from relying on tangible information that was in books and newspapers to depending on intangible data stored on bits and bytes. The data has also become more transient since it’s generally never in one place for very long. Whether the information was financial records, trade secrets, or healthcare, we quickly realized this was what the adversary really wanted, and it was necessary to think much differently to protect it.
It’s often the case that nobody starts in cybersecurity. Do you feel it’s necessary to have a broader training grounded in IT before specializing?
It’s true that many practicing cybersecurity practitioners today come from IT backgrounds. The cybersecurity problem will not be solved by technology alone. We need a cadre of diverse thinkers to envision solutions to problems we do not yet fully understand or for which we do not have full visibility. Situational awareness and information sharing are the keys to adaptable solutions. The dynamic for the future generation is changing, because we now have specialized educational and certification programs which did not exist twenty or thirty years ago. What hasn’t changed is that many current programs are based on OSI data processing principles that we all had to learn, and those bits and bytes haven’t changed. The way we put data together and take it apart is what has changed, and it’s nice to see more specialized educational resources for those who are interested. That said, the cybersecurity profession needs an interdisciplinary approach to the problem space.
What’s your take on this shift in more specialized cyber education?
I believe in teaching people about cyber, no matter what their background. Many of us, especially in the United States are users of technology, rather than systems thinkers.
I was privileged to have dinner many years ago in Washington DC with the president of Estonia. And he said to me, “Lisa, here in the United States, you all teach your children to be users of technology. You give them gadgets and devices like smartphones, tablets, smartwatches. But you don’t teach them to think about how that underlying ecosystem works. There’s this crucial gap between technology and the systems thinking. Many don’t realize what it actually takes to operate, protect, and sustain this kind of digital experience.”
Cybersecurity, and more specifically, cyber risk management, is a team sport. It isn’t something that you do once, but a continuous process you must work at and collaborate on to get better.
You transitioned from systems thinking to a conversation on cyber risk. What was that journey like? Congratulations, by the way on the appointment to the ISC(2) Board of Directors!
Thank you! For me, the journey from understanding cyber threats to understanding cyber risk began when I was teaching at Carnegie Mellon University. My students were CIOs and CISOs, as well as people who were aspiring to achieve that role one day. I realized a lot of them were missing a critical competency: the ability to have broader view of the importance of digital assets in the context of the mission, business, and strategy. This way of thinking about cybersecurity as the foundation upon which business operates was very interesting to me.
Many people view cybersecurity from the technical realm. When they see a cyber threat, they want to decompose it, study the adversary’s tradecraft, and quantify the probability of the threat materializing in their organization. That’s not to say professionals in the industry shouldn’t clearly understand cyber threats. But the reality is that they rarely have control over preventing them. What cybersecurity professionals do have control over is their ability to successfully run the business regardless of what is happening in the outside world.
Once I realized there was a disconnect between percent of time spent chasing cyber threats and percent of time understanding how those threats may actually impact your ability to deliver your enterprise mission was the transition point to focus my career on cyber risk management. Risk management is about uncertainty, informed decision-making, and the application of resources to scenarios that may or may not materialize.
This concludes part 1 of our Risk Journeys interview with Lisa Young. Stay tuned for Part 2, where we dive into cybersecurity mental models and how to best talk about cyber risk with senior leadership.