Fortune 500 CISO Patricia Titus Talks About Enabling Change in Cybersecurity
Written by: Black Kite
From a Chief Privacy and Information Officer, to spending time in the U.S. Treasury Office, to holding a seat on multiple boards of directors, Patricia Titus has seen things in the world of cybersecurity that most can only imagine.
In an episode of the Risk & Reels podcast, we spoke with Patricia Titus, Chief Privacy and Information Security Officer for Markel Insurance. Read on to explore highlights from what Titus and Jeffrey Wheatman, Senior Vice President at Black Kite, discussed during this episode — including how Titus enables change through de-prioritizing credit, building consensus, and ensuring clear communication through every interaction.
*Conversation has been edited for length and clarity.
Jeffrey Wheatman: Let’s start with some movie talk. I’m a huge fan of character-driven movies, and I think strong women are often underutilized and underrepresented. I want to hear your thoughts: Who are some of your favorite female characters? Who do you think is a good role model?
Patricia Titus: The female characters in the Downton Abbey series have interesting lead roles. Back in the day, women weren’t allowed to hold prevalent positions. Even though they’re heirs to their fathers’ dynasties, they weren’t given the time of day because of their gender. The women in Downton Abbey exemplified the tenacity required to drive the change we see today in our workplace.
JW: I especially enjoy the woman who ran the entire house, Violet Crawley.
PT: She ran the house with dignity and respect. And I think that’s an attractive characteristic many wish to emulate in our work life. I also find it fascinating that they don’t have to deal with cyber attacks. They just have to deal with marauders and gossip. They don’t have to worry about cybersecurity and encryption as I do.
Credit Where Credit is Due?
JW: You talk about exerting your strength when not being allowed or expected to do that. You’re an immensely successful security and privacy executive in a male-dominated field. And the insurance industry has been around for a long time.
How do you push for that change when you know people will push back and say, “Well, we’ve always done it this way.”
PT: I have not handled status-quo well for most of my life. I don’t do things in a traditional sense. I went into the military when many women were not. I dared to get married, then pregnant, and was promptly encouraged to leave the military. So when I look for new leaders in my organization, I always ask how they deal with the mentality of: “We’ve always done it that way.”
On the topic of change, here’s a quote that I find inspiring: “A lot more good could be done in the world if people didn’t care who got the credit.” We’ve all been there. You have an idea in a meeting, and everybody says, “Oh, we can’t possibly do that.” And about five days later, someone else says the same thing, and now it’s a great idea.
If we stop worrying about who gets credit and focus on the outcome, change is much easier to enable.
Now, you can discuss further and say, I know we’ve always done it this way. Nobody wants to fix it because it’s not broken. But it’s not going to scale. So, let’s have a conversation about where we want to go.
Consensus Building is Critical
JW: It’s interesting you say that because I always tell people, “Look, your bosses care about three things: Money coming in, money going out, and if something goes sideways, who’s getting in trouble?”
Consensus building is one of the key roles of a security and risk executive. Imagine you’re part of an executive team where some people have been around a long time and are stuck in their ways. How would you build consensus when trying to change processes?
PT: The hardest part of that is truly understanding a business. I went on a listening journey when I first joined the cybersecurity industry. From that journey, I learned that you need a solid stakeholder in the room to get your point across.
Alan Paler, a cybersecurity legend, once said:
The best way to get thrown out of an executive’s office is to walk in and say, ‘I’m sorry, you can’t do that because you’re violating policy.
You have to appeal to those three things you talked about: Money coming in, money going out, and risk management. The conversation should focus on managing risk across the enterprise based on who’s making the decisions.
But the hard part for CISOs is navigating who says, “No, we can’t make these changes.” Have they been educated about what could happen if they don’t? As soon as you take a piece of paper and say, “Sign off on this risk because you’re accepting it on behalf of the entire company,” it becomes a completely different conversation. Now the conversation is, “Wait, I didn’t realize how bad the risk is.”
Communication is Key
JW: [Executives] don’t know the risk level because nobody communicated it to them.
PT: Exactly. It’s like when an IT team tells employees to change their passwords without telling them why.
CISOs are good at saying, “Catastrophic network failure will cost us $4 billion.” You can’t go to the CEO with this ginormous number because they won’t take it seriously. [Instead] do your research and come up with quantifiable numbers. What is a network failure really going to cost the company?
When it comes to true change, I like to live by this quote:
Change fixes the past, and transformation creates the future.’ In security and privacy, we have to transform to create the future.
We need to think about how we can responsibly use artificial intelligence and machine learning to create the transformation our companies need. How are we automating capabilities? How are we creating automated capabilities that feed reports where we can get to what’s meaningful for our board and corporate executives?
Look at Things from Someone Else’s POV
JW: My old colleague Paul Proctor, someone asked him how do you know what the board wants? He said, “You could ask them, but everybody’s too afraid.” People are nervous that they’re not presenting the right information for them to respond to.
PT: I hear many people say, “I’m putting the number of incidents we had last month in front of the board.” Buddy, the board wants to hear about anything that has a material impact on the financial stability of the company, not the number of incidents that occurred in the past month.
For example: What’s your mean time to respond? Do you have an incident response process? Do you have a crisis management working group? Who’s going to communicate with people? When do we talk to the press? When do we notify our customers? All of that is about communication.
During 9/11, I was the acting Secretary of the Treasury. We had practiced every scenario you could think of, except evacuating a major city. But what we immediately recognized is that communication is critical.
When things go sideways, you end up with a much smaller group of people to deal with the fallout — meaning you can react much faster. You need somebody to tell everyone what to do and when. Then, it all goes back to risk management. How are you going to communicate to the board and your shareholders? How will this impact your filings?
JW: You mentioned something significant. I used to run a lot of tabletop exercises around incident response. And the first thing I did was change everyone’s jobs. CIOs switched roles with CFOs. I always heard, “Wow, I never thought about it that way.”
PT: When you look at the grand scheme of things, you realize that not everyone understands everyone else’s priorities. Every role is required to keep a business running because each has a critical, niche focus. But maybe if the CEO knew more about the CISO’s priorities, we could work together to make everyone’s lives easier.
To learn more about strong women in the media, cybersecurity, and (potentially) everything in between, listen to this full episode of the Risk & Reels podcast now — with new episodes every week!