Afternoon Cyber Tea with Ann Johnson 2.21.23
Ep 69 | 2.21.23

The Art and Science of Cybersecurity


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson. And on today's episode of "Afternoon Cyber Tea," I am joined by Voya Financial Senior Vice President and Chief Information Security Officer Stacy Hughes.

Ann Johnson: At Voya, Stacy is responsible for advancing the enterprise vision, strategy and road map for their industry-leading cybersecurity program. She has more than 20 years of experience leading complex IT initiatives within Fortune 500 financial technology organizations, most recently as the CISO of Global Payments, where she also held leadership positions across governance, compliance, accounting and the audit function. Stacy is a member of the Susan G. Komen Southeast Regional Leadership Council, after serving for over two years on the Atlanta board. She represents Voya on the National Technology Security Coalition, and she enjoys mentoring cybersecurity students to encourage and develop the next generation of leaders. 

Ann Johnson: Welcome to "Afternoon Cyber Tea," Stacy. I am absolutely thrilled to have you on the program today. 

Stacy Hughes: Thanks, Ann. I'm so excited to be here. 

Ann Johnson: So as we get started, we've been looking, you know, forward to the conversation because I think we're going to cover some of the most important and relevant topics in the industry right now. And to get us started, I would love for you to talk about your journey to being a CISO at VOYA. What led you to security compliance and risk subject matter at first? Why is it interesting to you? And why did you decide to make a career out of it? 

Stacy Hughes: Thanks, Ann. A majority of my career before joining Voya was in the payments industry. And I had the amazing opportunity to work in many different areas in the business, such as internal audit and accounting, before I moved into the technology area. And with moving into the technology space, I was able to have a lot of opportunities and raise my hand and volunteer for new projects and assignments, which involved leading compliance initiatives from scratch, also focusing on IT security compliance areas and, ultimately, building an IT governance risk and compliance team from start. And that ultimately - all those experiences having the business and technology experience allowed me to move over into the CISO role. And why I'm a CISO and my passion is - you really have to enjoy what you're doing. And I really have hit my stride in my passion being in the CISO role. It gives me great opportunities to build programs and really establish a positive culture of information security. And I also get to work with amazing teams and business partners. 

Ann Johnson: Yeah, I think the CISO role is so dynamic because you're working across the entirety of the business, right? Not just the IT operations, but you're on the leading edge of what the actual business wants to bring to market and making sure that they do that in a secure and compliant way. To me, that's incredibly fascinating. 

Stacy Hughes: It is. It's one where I think for any CISO continuing to bring all of those facets in to the business and help provide that context is a skill set that is continuing to evolve in the CISO community and world. 

Ann Johnson: So when we think, then, about leaders and businesses in the financial sector, you see this broad spectrum of risks and attacks. From your seat as an enterprise financial sector CISO, can you tell me some of the trends you're seeing? Are the risks evolving? Are the risks staying the same? And same with the attacks, right? Do you see the attacks evolving, or is it pretty much the same, just on repeat? 

Stacy Hughes: We continue to see some of the same trends that have been in place over the past few years - for example, social engineering, phishing, ransomware, keeping in front of vulnerabilities, for example. However, I am starting to see - and I think the industry is starting to see as well - risks with different technologies. Over time as we continue to know cloud, digital data transformations, as well as artificial intelligence, for example, and more recently, Chat GPT, we also need to be able to utilize those technologies in our environments and be able to do that in a secure way that makes sure we meet compliance requirements and privacy as well, too. And that's being able to help our businesses innovate and move forward. 

Stacy Hughes: However, I do see with those great technologies, we also see that the threat actors take advantage of those new capabilities and technologies as well, and they're developing new tactics, techniques and practices against organizations. And as cyber professionals, it's really going back to some of the basics from an organization perspective in making sure that we've got, as an industry, very good security awareness with our employees as well as very good cyber hygiene. And to drill on that a little further, at Voya, our customers really entrust us with their savings. And we really view that as an honor and a privilege, which is why we take security so seriously - to make sure we're protecting the most valuable assets and uphold our customers' trust. 

Ann Johnson: It's such a critical role - right? - being a financial services CISO. And by the way, all CISO jobs are important. I don't want to minimize anything, right? But being a financial services CISO and actually impacting revenue and transactions, whether it's a retail banking account or all the way through, you know, multitrillion dollar institutional transactions, you're sitting right in this seat where you're seeing so much happening in the world day to day. 

Stacy Hughes: Yes, we are. It is never-ending. 

Ann Johnson: Yeah, it's never-ending. That's a good way to put it. You're also on this leading edge of cyber innovation. I find financial services CISOs are really on the leading edge. What's your perspective about what other industries could learn from the cyber programs and the practices in finance? 

Stacy Hughes: The financial services space is very interesting because we're so highly regulated. And that can be a challenge to some companies and industries to be able to keep up with that - those regulatory requirements. But that actually, in my opinion, can help enable security compliance. And privacy really is the foundation to continue to move forward on those areas to really provide great capabilities or security and technology to ultimately move faster because I really view security as helping technology enable our business in achieving objectives. And I think it's so important that we continue to - you know, we have that as the financial services industry just having a little bit more regulatory requirements in place. 

Ann Johnson: Yeah, I think that's true. And I think that your role and the role of your peers in financial services with that umbrella underneath regulated industry just makes the job very different. So to pivot, Stacy, I've heard your talk about the art and the science of cybersecurity, and that concept really resonated with me. Can you explain what you mean by that to your listeners? And what do you view as cybersecurity art? 

Stacy Hughes: Yes. So the science involves utilizing existing use cases and established frameworks that are currently in place, such as MITRE ATT&CK, and that can help you to really assist in what you're looking at from overall threat modeling. And the art of it requires really partnering with our business, with application owners and our development teams to really fully understand how applications work and determine what is unusual behavior. And really, the partnering of the art in the science is what is utilized by teams to really help develop risk-based alerting to find that needle in a haystack. 

Stacy Hughes: And for example, if I were to log in from an unusual location, it may be normal activity for me, but it could also be a threat actor, or I'm working remotely today from somewhere else other than my home. However, for example, if I log in to a new application that I historically have not utilized before, then that could be defined as potential unusual activity. So it's like the art and the science works together to help provide a very good perspective on the threat landscape and alerting. 

Ann Johnson: Yeah, I just love the framing - right? - because I don't think any of this is binary. I think that we learn every day, and we need to apply those learnings. And some of that is just almost going off instinct and saying, OK, I've seen something like this before, right? Let me think about it. 

Stacy Hughes: We do. And I think that continues to evolve each and every day as new threats continue to evolve and as everybody continues on their learning journeys within cybersecurity. 

Ann Johnson: Yeah, exactly. Well, the other thing I've heard you talk about is the role that partnership plays across business and driving security programming. You talked about that briefly, but I'd like to dive deeper. Everything from understanding how a user interacts with an application to raising the cyber awareness of all of our employees - I know some CISOs really struggle with that partnership outside of security or IT. I'd love to get your perspective on how you engage and partner across the business successfully. And what advice do you have for CISOs who are navigating this challenge? 

Stacy Hughes: I'll take a first step back before we get to the CISO level. But in your first jobs, before we become CISOs, my advice is to learn the business and take other roles in an organization that give you exposure to key stakeholders and business areas. I think really having that business context helps with a secure foundation on how to secure an organization. And with those developments, you can really build great partnerships. With those partnerships, you can also leverage them as you evolve in your career. And when you do move up to the CISO level, then you already have those regular meetings, that regular rapport already established. 

Stacy Hughes: I also feel it's very important to host regular meetings with executives on a regular basis and talking about a number of different topics, not always on the security front, even though I know we could all talk about security for days upon days at end, but also talking to them about things that impact them personally as well as professionally and tying that back to security. I utilize a example often about multifactor authentication and making sure that our executives, our employees and everybody utilize that technology in their personal lives as well, too, in social media. You know, the Internet of Things, it's very interesting to see how you can correlate and find out information about you on the internet now and really being able to take that information and tie in how security impacts you, both with what you're doing in your private life and then also being able to tie that into how we mitigate risk in an organization. It really helps provide that value proposition because I really want to help our business partners to understand what's in it for them as we go through security trends and new security initiatives. 

Ann Johnson: Yeah. And I think just the simple thing of educating users on how to use MFA and why it's important is a good place to start. But I love your approach because you're thinking outside the CISO office, and you're thinking about how it impacts other businesses and other places within your business. You're being asked to engage now more and more with CEOs in your board, and this is a new muscle definitely for some CISOs, that executive engagement, that board-level reporting. How do you approach the engagement with senior leaders and board members? And do you have any advice of how other CISOs can effectively inform, educate and influence their boards? 

Stacy Hughes: Yes, I have a great interaction with our CEO on a regular basis. We meet monthly, and we have very direct conversations. And that is really important to have that - I'll call it hotline to the CEO because you need to be able to communicate security risks and opportunities within your organization. But also, with - pivoting over to the boards, we're still - typically want to see the same information every quarter. And I really do think it's helpful to provide updates on new emerging trends and how they tie to the threat landscape, as well as security initiatives for an organization. It really helps build that partnership because that way, if you're talking about a current cyber trend and then they read something in the daily news, they're familiar with the concepts. And I think that's how you build that partnership. A couple of other areas that I think are important is continuing to engage senior leaders throughout an organization to help drive the message down with those other meetings that I mentioned about before. And finally, I really think it's important to have information security part of an organization's overall goals and success criteria. 

Ann Johnson: I think that's incredibly important, to be able to measure risk - right? - and to have it part of your goals and be able to communicate it. And it sounds like you're doing that really well. Pivoting again, I know you have a lot of passion for talent development and building up the next wave of cyber leaders. And it's critical right now. We're still facing a talent shortage in cyber, and the need for cyber leadership obviously is continuing to grow as attacks and threats grow. What's your perspective on this challenge, and what approaches would you suggest other CISOs think about when it comes to talent and leadership development? 

Stacy Hughes: I'll first start with talent. I really - with all of the shortages of cybersecurity professionals in the industry, we need to think outside the box a little bit and really encourage others that may have a very different background that may want to pivot into cybersecurity and help give them opportunities. There are a number of programs that are one-year cybersecurity certificates, teaching very technical skills that allow professionals to have some background and then be able to pivot into real-life experiences. So I think that's very valuable for our future generation. 

Stacy Hughes: And also, really taking time as senior leaders in cybersecurity to mentor. It is really exciting for me that when I get a chance to sit down and work with students - I even spoke at a women in cybersecurity event last night. There's a lot of energy that comes from those interactions and understanding what everybody's passionate about because cybersecurity is fascinating because there's so many different areas that you can go within the cybersecurity field. And that is really important to me to be able to help guide, encourage and mentor and explore other opportunities. There could be a student that may be very interested in pen testing, but they also may be - also be very good in application security as well, too, with that natural curiosity and looking at things. And really being able to open a current cybersecurity professional, somebody trying to enter in, a student or starting their second career, understanding their passion and helping guide them, but also being able to provide mentorship opportunities, even help do - I've done resume reviews. I've also helped with mock interviews to be able to have everybody have the confidence in themselves. And I really enjoy being that cheerleader behind the scenes. 

Stacy Hughes: On the talent front in developing our next leaders, it's really taking the time to help build the skills. And some of that is soft skills and being able to understand the business and tying that to what ties into cybersecurity and providing opportunities. I really look at that as when I have a meeting or an event coming up, there's a couple things that I can always do to help mentor and encourage and build leadership. And, one, is there an opportunity to where a team member can come and do a presentation? Maybe the first time just to me in a safer zone, but to develop their confidence, but then also moving into larger meetings and also being able to have opportunities for the next generation to sit in on meetings and learn. There's a lot of times where you can sit back and learn and observe how people handle situations, how they're communicating, that are nonverbal cues I think you can really pick up on and learn to develop your leadership style as you continue to progress in an organization. 

Ann Johnson: I love what you said about progressing your leadership style and the tie-in to that to mentoring, right? I do a lot of mentoring, and I find that I learn a lot from my mentees, right? And it makes me think about what I'm doing and what I should be doing in the next wave of my own leadership. So yeah, it's funny how much you learn the more you talk to people. 

Stacy Hughes: You do. 

Ann Johnson: So, Stacy, thank you so much for sharing your insights. It's been a really good episode for folks to understand, you know, the role of a CISO and also to understand advice for other CISOs and also up-and-coming, you know, cyber professionals. We always like to send our listeners off with some inspiration for the future - two key takeaways. What do you think is most important to our audience to know, and why should we all be optimistic about the future of cyber? 

Stacy Hughes: My one piece of advice would be don't hesitate to learn something new in cyber. Raise your hand. Take additional courses and certifications. And realize where your passion is and try something new. Everybody in the profession doesn't have a full technical background in cybersecurity. However, it doesn't mean that there aren't other strengths that would make you successful in security. And diversity in our backgrounds really help to protect our organizations, as well as our customers. And why is it so exciting? Because there is never a dull moment in cybersecurity. And that is why I love my job. 

Ann Johnson: There is never a dull moment - I think that's a wonderful way to end. Stacy, thank you again for taking the time to join "Afternoon Cyber Tea" today. 

Stacy Hughes: Thank you so much, Ann. So happy to spend the afternoon with you. 

Ann Johnson: And thank you to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: I invited Stacy to join the podcast because I always think it's important to hear from a real-life chief information security officer who's in the trenches today securing a regulated industry like financial services. The conversation was great for folks who are CISOs - it gave some really practical guidance - and, of course, for up-and-coming security professionals.