b'Story Behind the Story: Interview with Patricia Titus D F:You identified the head of Markels IT Governance as a woman. Didthat make a difference during the interview?My motto is, Just enough. Just in time. It PATRICIA: doesnt mean you wont have a breach or a I never thought about it until you mentioned it, but I have to say yes. I had never been interviewed by a disruption, but are you practicing what to woman for a CISO job, and she was definitely the reason I had the follow-on interviews. It was very enlightening do when there is a problem? How do you because the conversation was different. She was asking me questions like: Should we buy this technology or should we wait? Wheres the future of identity and access management going? Wheres this particularidentify it? How do you respond? How do discipline going? What are the things that should be in a program?you contain? Its prevent, detect, respond The interview was almost consultative. It was as if she was opening the door and saying, Help us do it better. and recover.There was an element of trust, and as we talked through things, she said, You are so smart. If you dont take the job here, at least take the job for six months and come help us. That, in and of itself, sold me. is, it is very important a new CISO is communicating D F:What was the mission you were charged with? often and directly with the entire team. PATRICIA: If a new CISO happens to come into a company post-Protect Markels brand, its intellectual property and mostly, protect the company. One of the most important breach, the mindset is usually, Hurry up and do something,aspects in any company is understanding the culture and what motivates its people. Anyone who knows Markelas opposed to, Take some time and lay out a strategy. And, its all understands that culture is a very large part of what makes Markel a great company. Our culture is called hands-on deck so you may not have the opportunity to invoke a 100-The Markel Style day plan. Another way to think of it would be the difference between building the plane while youreand its not just words on paper. You see it every day when you go to work and in the way people interact with each other in the company. The Markel Styleflying it, versus while youre on the ground. A security program needs to have a strategy that creates is something we live. Its ingrained into so many things the company does.repeatable, defendable processes to further the companys security culture and program.D F:How did you evaluate Markels security and make it better? D F:Not everyone is willing to say a breach is likely. Thats pretty honest. PATRICIA: PATRICIA:People. Process. Technology. We are a consensus drivenIt changes the conversation with your executives, your peers and your board. You are preparing people for company and there were a lot of pockets of security beingI have a 100-day plan andthe inevitable and running table-top exercises. In the military, we regularly practiced many different scenarios done throughout the enterprise in different organizations.on how to prepare and react to possible threats. Planning to respond to things you dont know are coming I have a 100-day plan and a methodology I have developeda methodology I havecan be a difficult conversation for a company. Its important to understand that it can, could, and may happen over many years, which I use to assess a new organization.developed over many years,at some point in the life of a company. If you dont practice, it doesnt become part of the muscle memory I feel performing an assessment is critical. Looking at thewhich I use to assess a newof your brain and you wont react strategically. company in its entirety, I ask, What technology do you havewhat hardware, what software? Do you have the rightorganization. Additionally, how a company reacts if there is a breach can help limit brand damage, and executives people to use the technology? How do you police the processneed to be aware of how to communicate. Its very important to know who oversees communication. to affect change? In any incident, you need to know how you are communicating internally, externally to the board, and shareholders.First thing is to look at human resources and conduct a workforce assessment. I have found there are three-types of people working in security. First are those who are skeptical or cautiously optimistic about a new CISO. They dont understand your operating model and worry about how they will fit into the new regime. The second type are those individuals who are long-standing employees and have significant loyalty to thecompany. A new CISO must objectively assess if they have the right critical thinking skills to move the securityorganization along and, if not, what training will they need. Third types are the flight risks. Their resumes are ready to go and they have the potential to walk out the door. With retention in cyber security being what it Page 23 Page 24'