Afternoon Cyber Tea with Ann Johnson 5.14.24
Ep 97 | 5.14.24

Cybersecurity in Focus with Katie Jenkins

Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea," where we explore the inner section of innovation and cyber security. I'm your host, Ann Johnson. From the front lines of digital defense, to groundbreaking advancement shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today, I am joined by Katie Jenkins, the Executive Vice President and Chief Information Security Officer at Liberty Mutual. Katie Jenkins is the Chief Information Security Officer and Executive Vice President for Global Cyber Security at Liberty Mutual Insurance, where for the past six years, she has been responsible for ensuring protection of company data, defense of the brand, and minimizing business impact of cyber attacks. Katie has applied her knowledge and leadership in both startup and Fortune 100 environments, and has had roles in professional services and leading enterprise programs. Katie is a proven builder and a leader of diverse and global teams in complex and dynamic situations. Katie is the executive sponsor of multiple DEI programs, such as Women in Technology at Liberty Mutual. She holds advisory roles at several venture capital and private equity firms, and acts as an adviser and guest lecturer for multiple universities. Welcome to "Afternoon Cyber Tea," Katie!

Katie Jenkins: Well, Ann, as a long-time listener of "Afternoon Cyber Tea," I'm really pleased to be here. Thank you.

Ann Johnson: Thank you for being a listener. I really appreciate that. I know you've given me feedback over the course of the years we've done "Afternoon Cyber Tea," and it's always great [chuckling]. So, a lot of cyber professionals I speak with have interesting stories about how they got their start in the cyber security space. Many were in cyber roles before there was such a thing as a cyber security industry, and some even came into the industry by accident. Can you share a little bit about your career journey? How did you get into cyber security? And what has kept you engaged for 25 years?

Katie Jenkins: Hm, well, my answer sits somewhere between luck, being in the right place at the right time, and following my curiosity, and maybe I'll explain that a bit more. So I did not have the good fortune of having access to cyber programs as an undergraduate, but I did have a cryptography elective as part of a math major when I was an undergrad, so that opened up my eyes to the field. But I really have to credit my first job. I landed it at a big four accounting firm. I was testing logical access and change management controls, and this was all at a time opportunistically, really, where their security practice was being built out, given the evolving federal legislative activity in the U.S., and I got to sort of shift my focus, and get a chance to do things like test ATM machines for a bank to see if we could produce, you know, unexpected outcomes. Or do physical penetration tests, where all I have is a letter in hand to say if I get caught trying to enter a data center, that I have the authority to do so. And then as I fast forward, you know, from my years in professional services, to Liberty Mutual, where I've held a variety of security roles, and as you cited, six years in the CISO role, I do get to think a lot about what has kept me engaged. As you say, I think that the field has always been interesting to me. I haven't been bored a single day in my professional career, but there's always been this angle of being connected to a customer-focused mission, and I have the good fortune of being an educator, right? I get to educate all of our employees that can take security knowledge to their homes, to their families, to their personalized, and hopefully make their lives a little bit easier too.

Ann Johnson: That's fantastic, and I think you definitely have to have a passion. I've been doing cyber-was 24 years this month. You have to have a passion to stay in the industry, because the industry is dynamic, and sometimes it's incredibly stressful, and other times it's really rewarding. I love it. A couple of episodes ago, one of my guests on "Afternoon Cyber Tea" said something really interesting. He said something to the effect of even though history may not repeat itself exactly, it sure does rhyme pretty often [chuckles] yeah, I actually really like that. I said it to my family and they were like, that's better, yeah!

Katie Jenkins: Yeah, I like it too.

Ann Johnson: But he was using this phrase to compare some past events with what we were seeing today in the cyber landscape. As you reflect back in your current cyber, what has changed the most in the last 25 years, and do you think anything has actually stayed the same?

Katie Jenkins: Sure. Well, the internal chuckle I'm having is, you know, recalling early days when I've written some clean desk policies. Remember those? Where we're giving guidance to clean your desk at the end of the day, so no one can view sensitive information in your work space. And like, the chuckle that raises for me is that, oh my goodness, the type of risks that we are trying to mitigate today the ecosystems that we're trying to protect, where we have un-prime assets, cloud-based assets, corporate managed devices, BYO devices. This all bears so little resemblance to 25 years ago, but perhaps, you know, most significantly of what has changed, I'd have to say it's the mindset shift, right? I'm going to start with like, executive buy-in, right? So you know, I distinctly remember the days where we were trying to convince the higher ups that our work really mattered, that this wasn't some esoteric body of not well-understood work. Today, our executives recognize that cyber risk is business risk. And this has the effect of flowing down to the full work force, right? So security, thereto is not a back office function that employees are suspicious or fearful of. I think today what is so different is that employees want to help. They feel a sense of ownership and pride when they identify concerns. And they're really seeking to engage. And that is probably what has changed the most.

Ann Johnson: I love that.

Katie Jenkins: Yeah.

Ann Johnson: That executive buy-in, I used to joke that people spent more on their coffee budgets than they spent on their cyber security budget [laughter].

Katie Jenkins: Yeah.

Ann Johnson: And I think that has changed, right? It's a boardroom conversation, your CEO is engaged, your most senior leadership team is engaged, and that's great, because it's going to force us, as an industry, to be better, to be faster, and to be more dynamic.

Katie Jenkins: Yeah.

Ann Johnson: Katie, you have a big job as a Fortune 100 company, so congratulations, by the way. That's amazing.

Katie Jenkins: Thank you.

Ann Johnson: From this perspective, you see a lot. You have a bird's-eye view of the trends impacting our industry. What are you seeing today? What's on your radar?

Katie Jenkins: Yeah, well, if I'm honest, I'm not sure what I'm about to say isn't something that all of your listeners aren't attuned to and seeing as well. I think we have, you know, perennial themes to trends, like third-party and supply chain risk. That's always on my radar. The attack trends, whether they be people-based attack, attacks, identity compromise, that's something that we're, you know, the team is really attuned to, and then, I think that it's important to look at trends, and the threat actor motivations. Obviously, having shifted to financial gain, disruption, using disruption, and intentionally broad way, business disruption, advancing geopolitical agendas. But I would be like super remiss not to add gen-AI here, right? And I think this is not not disrespect our history, where insurers like Liberty Mutual have been using AI for predictive insights, and its benefits, and insurance fraud identification, but you know, the advent of putting gen-AI into the hands of the masses, really is in fact game-changing, right? And I was trying to explore this thought of is this like the first tech trend that our business leaders are actively engaged in and really excited to adopt? I mean, if I compared it to our cloud journey, those same leaders supported the journey to the cloud. But I think that was based on the trust that they had in their IT partners, that you know, this would yield improved agility and cost transparency and those types of benefits, and supporting a trend, like cloud, I think is incredibly different than really wanting to engage with a tech and feeling excitement for the potential business outcomes, and that is why I think so many people across tech, across many different industries, but particularly in security, are really paying attention, because they are still a lot to evolve in this space.

Ann Johnson: Yes, I think it's really hard to have any conversations cyber type without talking AI, right? So let's dig there, for just a minute. There is a lot of buzz around generative AI, how it is going to help us be more productive, more secure, and there are some really interesting security use cases. How is generative AI challenging and/or advancing your security programming.

Katie Jenkins: On the challenge front, I think that there are really three dimensions that security is working in, and some of the challenges needing to be intentional not to fragment our focus. So let me just kind of run through how I'm defining these three areas. One is the important and initial role that security played in establishing our guardrails, our policies, our governance processes, that supported gen-AI adoption broadly within the organization, so there's sort of the governance piece. The second angle is looking at our own early-use cases within security. So I'm talking about phishing detection, threat intel summarization, control narrative development. I mean, there's a lot of conversations like taking a look at our due diligence outputs from third party risk assessments, or looking at vulnerability data. That I'm not asking my team, can we get any benefit from gen-AI, and sort of it processing, and getting good summarization here? So I think that our own use cases is the second part that's challenging, to make sure that we are prompting ourselves to be using it as much as we responsibly can. And then the third area is obviously a defensive posture, right? So it's sort of the anticipatory nature of adversarial use of gen-AI that has us really paying attention and to get ahead of that, trying to think of how we can automate more of our workloads and really try to make more space to handle what I'm sure is going to be, you know, an onslaught of activity, so the challenge is trying to find balance in all of those important dimensions. But you added, you know, advancing. How does it advance our interest? And the question there, which is that I gave some examples, where I think that we're getting some early benefit from phishing detection, access role mining, but I think the best is yet to come. And I feel-I hope I'm not overly optimistic in this, but I think that there are benefits that gen-AI will present and you know, capabilities will mature around behavior analytics, anomaly detection, vulnerability prioritization. So I feel balanced in sort of my caution of the threats that, you know, we're starting to see, but we really expect to see in force in the future as well as the way that it can really help fuel our insights, and operational efficiencies.

Ann Johnson: I think that's right, and some of those topics you talked about, you know, we see coding as an example. We see the ability to modernize the soc, the ability to actually do better and faster vulnerability detection and patching, identities, it's just-anything where you have a large amount of data, and everything about security is a large amount of data.

Katie Jenkins: Mm-hmm.

Ann Johnson: So it should be. You know, Katie, you're like me, you've seen the year of everything. And security-you go to the RSA conference, and see Europe's this-that-or-the-other. I do think generative AI will be a step change for cyber security. I think we need to temper our expectations though, to make sure we're being realistic of what it can do today versus in the long-term.

Katie Jenkins: Yeah, yeah. That's fair.

Ann Johnson: Let's pop back up to the big picture, a little. One of the most important transitions I've seen in my career in cyber is the, you know, the cyber team being off to the side, and being, you know, people thought they were business blockers, and they said no, and they enabled the mission. And in recent history in cyber, I'm seeing many more CISOs involved in the core of the mission, driving the mission, moving the mission forward faster. Can you tell our listeners, how does security support the company mission at Liberty Mutual?

Katie Jenkins: Gladly. As a company, we believe that progress happens when people feel secure. So if you think about customer of insurance, Liberty Mutual customers, policy holders are engaging us. Usually when something bad has happened. There may be a personal crisis, perhaps, like an auto accident or storm damage to one's home or a business interrupting event. And considering that context, we can't afford a cyber-based disruption that would leave us unable to help our customers in their time of need. So, as a security organization we really do have clear line of sight of where our mission intersects with our business outcomes. And I think that is something that is engaging to the team, and really gives us a sense of purpose.

Ann Johnson: I think that's so useful. And I know, because you and I have spoken, that you're very connected with the senior executives there, and understand the strategy, and help them drive the strategy securely. So it's a credit to you that you have that collaboration, have built those relationships.

Katie Jenkins: Yeah, thank you.

Ann Johnson: You and I have known each other for a little while, and I know the culture of security is really important to you and to Liberty Mutual. Can you reflect on the culture of security transformation within Liberty Mutual, and any advice you have for your peer leaders who are navigating a similar transformation?

Katie Jenkins: Yeah, and this is one of my favorite things to talk about, I have to say. Through Liberty's culture, and how it's an asset to our security mission, so, Liberty's culture of responsibility and integrity presents a major advantage in terms of how we're trying to drive a strong security culture. So we brand our culture and human risk programming as responsible defenders, and we view our work force, truly as not our weakest link, but as our greatest assets. We are inviting our workforce to help be the eyes and ears and front line defenders, and this is a point I think that CISOs could argue about, I mean, yes, there are mandatory aspects to our programming, required training, particular outcomes, that if you fail, a certain number of phishing smishing vishing exercises-you name all the "ishings," right-but we are really more slanted towards incentives, in celebrating employees who have successfully identified suspicious or non-compliant behavior. We have, you know, quarterly celebration of our first defenders that maybe have identified the most number of actual phishing attempts in that quarter, or kind of recognized something very unique, and that, you know, was front-page news in our internet, and gets celebrated. I had an interesting discussion actually earlier this week. I met with two members of our tech help desk, who successfully detected voice-based social engineering attempts, and we know that this is a prevalent tactic today. And it was a fantastic conversation, because it was really important to ask where, you know, these help desk agents felt prepared to identify these calls. And you know, what more can we do with this partnership with security to give them, you know, increased detection tools, right? But the same feels a rightful sense of pride in identifying that, right? So that's really cool. And I think that, you know, what I would say to those that are seeking advice is that shifting our culture to be more reward driven has really led us from a place where security issues are more prevalently identified by security team members, to now, there is really an open sharing, and you have engineers coming to the security team, to report maybe things that they've seen or suspect are at issue, and I just feel that that sense of sharing and collaboration is giving us much better outcomes. You know? If we don't know something is an issue, we can't make it better, and so the culture is really something that I credit for a lot of important outcomes for a company.

Ann Johnson: One of the things I heard you say that was so important, yes, there's all the mandatory trainings, we all know that.

Katie Jenkins: Mm-hmm, mm-hmm!

Ann Johnson: Then you said we invite our people, I think that is so-it's like fresh air, right? For me to hear that, because, it's one of those things where instead of enforcing, security always seen, we're going to enforce, we're going to demand, we're going to make you do these things, you're saying we invite our people to participate. It's such a culture shift.

Katie Jenkins: Yeah. Yeah! I think that when we couple, we create friends and family guides, we say to our employees, look, here's how you can detect phish, or here is how you can protect your identity, or here is, perhaps, some of the settings you don't know about, but could utilize in your social media accounts. People see that as like, okay, you know, the ask really is for me to protect the company, but I also feel like I'm getting a benefit that I can bring home, too, and I think that helps to bridge the yeah, we're busy, and people don't want to have to do one extra thing just because security has asked, but it's-but it has really fostered that sense of, it's-it's, you know, it's important. It's the right thing to do. And people take that to heart.

Ann Johnson: I think that's right. Well, thank you for sharing those thoughts. Another popular topic I hear about, it's not new, but it's that concept of collective defense and collaboration amongst industry peers, and even suppliers, on intelligence and info sharing. In my view, the financial services industry actually is the gold standard. It does this quite well, and in many respects, it's on the leading edge. What is your perspective on industry sharing? Is it working well? Is it working as intended? And what would you improve?

Katie Jenkins: I see this as a bright spot. I have more trust in suppliers, who are sharing intel in a forthcoming way. I'm getting better in more actionable insights from member-based, subscription-based services. And perhaps most heartening of all is the informal sharing that I think many, if not most of my industry peers, are committed to, right? Security's job of thwarting threat actor activity-it's not a zero sum game. One's gain is not another's loss, and I think that sense that collectively we can defend ourselves better when we share-I'm like super happy to make a connection when someone in my network feels like they have intel that could connect, that could help someone else, but they don't know that person. I've benefitted richly from-from this community-so I'm always happy to make that connection. Because I really think that it speaks to the-we're stronger together, one organization doing security better than another is not, you know, a competitive advantage. We're fighting the same battles. So teaming up feels like that is, that truly is a bright spot in making our work a bit easier.

Ann Johnson: That's really great to hear. And I know that we're working with other industries, right, to be as good and as fast and as agile as we see the financial services industry. Yeah. We have one more important topic to cover before we get to some fun questions.

Katie Jenkins: Yeah.

Ann Johnson: We know-studies have shown us-like, companies that invest in diversity equity inclusion are more innovative, it leads to better collaboration, better outcomes, you have long been a vocal supporter of women in IT, and women in cyber security careers. How is that supported at Liberty Mutual?

Katie Jenkins: Yeah, I have the privilege of being the executive sponsor, not only to women in technology, but also our tech DEI council, and this comes, I guess this not only comes from a desire to pay it forward, I've accumulated my fair share of experiences of being the only or one of the few women in the room. But it comes from a selfish place, too. It comes from a deep-rooted belief that having a diverse and inclusive security organization is a necessity for our success. I like to win, right? Security is-is really an amazing field, to have a fulfilling career, and it gives my job extra meaning, to invite, to support all who want to join in our mission. So, when you say like, how is this supported at Liberty? I would say all of this is very aligned to Liberty's values. So I, too, feel supported as a champion for others.

Ann Johnson: I love that, I mean, I've been in tech my entire career, you've been in tech your career.

Katie Jenkins: Mm-hmm!

Ann Johnson: There's a couple of things for me there. There is this pragmatism of we never have enough cyber defenders, so we need to make the industry open and inclusive, so that more people want to join it that have different backgrounds and are, you know, women, and all those dimensions, right? Of diversity. The other thing is-it's just a little more comfortable being in-I was in a room this week with 30 cyber security senior executives, and I was one of three women. And it's just not super comfortable, right?

Katie Jenkins: Yeah-yeah.

Ann Johnson: And even though, by the way, there was very little of the aggressive behavior seen, the men in the room weren't talking over the women, we've come a long way, right? It-when there are just a few women in the room, they're equally respected, at least, you know, the situations I'm in. But I just would love to see more. That's all.

Katie Jenkins: Yeah, that totally narrows my experience. I find it a very welcoming community to be in, and yet, I still feel a sense of disappointment that things could be a little bit more, more balanced in the room, so, it's come a long way and we have more work to do.

Ann Johnson: Yes we do! So, I have fun questions-

Katie Jenkins: Oh!

Ann Johnson: Before we wrap.

Katie Jenkins: All right!

Ann Johnson: Let's do two. What is the best piece of career advice you have ever received, and in turn, what advice would you give to aspiring cyber leaders?

Katie Jenkins: Okay, the best advice that I have received is to be vocal about my long-term career goals. And I don't know if this is a generational thing, but you know, when I started in security, my mantra was work hard, get noticed, be promoted, and that-that carries you through for a period of time. But you know, I can actually remember the exact office I was in, the time that I said it, but when I said out loud to a tech executive that I wanted to be the CISO one day, I felt that that set some wheels in motion that allowed me to work with more purpose toward that goal. So, I don't know if that would resonate with others, but just articulating it, even if it's-it's far out. I think that that betters your chances of getting there. My advice for others, I've got to go in different directions here. Be nice to others. Or maybe better said, be someone that others want to work with. I was a collegiate rower, I used to say rowing is the ultimate team sport, and I have changed my tune. I think that security is the ultimate team sport. I mean, when you think about the partnership, and the actions and prioritizations that you need from your infrastructure, peers, networking, engineers, you-you need as many people on your team that want to work with you in this important mission. So I just think that because security is not just done by people with a security title, or in a security organization, being able to build community and being able to get people to want to be part of what you're doing, I think, is really important. But the other piece of advice I'd have is-is based on the reality that this is a tough field to be in and it's important to learn what recharges your batteries. And you did-I don't even know when it was-you did a prior episode on mental health or personal resilience, and you know, that spoke to me. I think to play the long game, you have to take care of yourself. You have to protect your time for what matters most professionally and personally because you need to give a lot in this role, so you've got to make sure that you're recharging your batteries. I think that's how I would say that.

Ann Johnson: I think that's right, in all dimensions, by the way. One, don't be a talented jerk [laughs], two, I tell people, the phrase I use is, you know, when I tell people, you have to manage your own career. No one is going to manage your career for you. You have to be outspoken. I say to people, you know, participate in your own rescue. If you're not in the right place, then, you know, be vocal and find the place that brings you joy, but I think everything you said is just really great advice and I know our listeners are going to get tremendous value from it.

Katie Jenkins: Great.

Ann Johnson: Well, I want to thank you for joining us. Despite the rise in overall cyber crime, I still believe the Cyber Defenders are more often than not one step ahead of the bad guys. I am a cyber optimist. I'm an optimist about the future, and based on our conversation I believe you are too. So, as we wrap, I'd love to hear why you're optimistic about the future of cyber, in your perspective on how we best defend the digital world.

Katie Jenkins: Well, I'm laughing, Ann, right? I think that security professionals get typecasted as pessimists, and that is not my experience. I mean, it would be very hard to get out bed each day, and tackle difficult work if I didn't think that my team and I were making things better. So, I am an optimist. I'm most optimistic about our next generation defenders in cyber professionals. I mean, when I look around, we have incredible talent, coming from universities, trade schools, people that are transitioning from military careers, via Hiring Our Heroes, that's the organization we're working with. There's a digital savviness, a global-mindedness, intellectual curiosity, all of these characteristics that really make me feel confident that the future of security is in excellent hands.

Ann Johnson: That's just joyful to hear, and I agree with you. We are not pessimists, we are realists at times, and maybe that sounds pessimistic, but most cyber people I know, to your point, and I say that wouldn't get out of bed in the morning if they thought they were going to fail every day.

Katie Jenkins: That's right. I could go with realist. I can handle that label. But not pessimist.

Ann Johnson: You got it. Well, thank you again, for taking the time to join me, today, Katie.

Katie Jenkins: It has absolutely been my pleasure, Ann. Thank you.

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." [ Music ] I invited Katie to join me on "Afternoon Cyber Tea," because she is such a dynamic cyber security professional. She is just really, really balanced in how she thinks about the industry. She has a fantastic positive and optimistic approach. It was a wonderful episode, and I know the audience will enjoy it. [ Music ]