b'Story Behind the Story: Interview with Michelle Valdez D F:You left Government and went into the private sector, first to Capitalthrough the most uncomfortable moments of their lives as they figured out everything they had to do. One and then OneMain Financial. You make them feel it and realize the business impact and all of a sudden people become advocates for your cybersecurity budget. MICHELLE: D F: The cybersecurity community has a saying: There are two types of When I said if it were not for DHS, I wouldnt be where I am, its true. You form a bond when you convince executives to share critical data with the government. One of the CISOs I hadworked with recruited me andcompanies. Those which know theyve been hacked and those which gave me the opportunity to build Capital Ones cyber resilience program from scratch.I was terrified. Idare about to find out. Capital One did get breached in 2019 when abeen in government my entire career, where it can take up to three years to implement even the best ideas. hacker gained access to 100 million credit card applications and accounts. The private sector has a completely different culture. The big difference: speed and trust.My driving force MICHELLE: is a desire to implement things. At Capital One, my boss told me, Youre the expert. Go build it. I had abudget, was able to make decisions, hire someone, and three weeks later have that person already buildingThat is very true. Our adversaries are always evolving and improving their capabilities. The cybersecurity what I needed.community has to do everything it can to stay ahead and maintain the advantage. However, there is no perfect solution and so it becomes a matter of time. The key is ensuring you have solid response and D F: One of the quotes on your profile is: The two most important days inrecovery processes in place to minimize the impact of an attack. Any company that has been through a your life are the day you are born and the day you find out why. Is thebreach will tell you, the response is extremely difficult and all-consuming. Why when you discovered your passion for cyber resilience? Everyone was working crazy, long hours. We were in crisis mode but the camaraderie and collaboration got us through it, along with the MICHELLE: companys demonstrated ability to make quick decisions. Most Yes. I was attending a Resilience Management Model course when I had my career Aha! moment. I hadcompanies that go through a major breach, usually come outspent my entire career largely focused on the threat. Resilience is the balance: adapt and recover. Mostwith even better programs based on all the lessons learned. problems are people or process problems and much of my career has been understanding the root cause of a problem and trying to fix it.Cyber resilience is about buildingsomething to minimize the impact,D F: Not long after, you were named CISO for regardless of what causes the disruption. If you can get that puzzle right then it doesnt matter whatOneMain in January 2020.somebody tries to do to hack away at it,theyre not going to take you down completely.MICHELLE: Theres a saying, You cant build a castle on shifting sand. Im the one who puts the foundation in placeI had convinced myself over the years that I could not become so that the castle can stay standing and be resilient and withstand anything that comes at it. That to me a CISO. The long hours, middle of the night incident calls, and is cool. Its true problem solving. major stress were not things I was sure I wanted to sign up forD F: What was the greatest challenge when you arrived at Capital One? again. I had already worked many incident responses in my counterterrorism days. Then a recruiter reached out to me with a MICHELLE: job description for OneMain that seemed tailor made to what Im passionate about. One of my mentors, who was in her first role as CISO, Capital One is a big, beautiful, innovative castle. They have the best developers and technology in the world told me, Just talk to them.working every day to make the digital experience evenbetter for their customers. The whole company isbuilt on data. I joined in 2015 to build a cyber resilience program and really mature our foundational processes. I had one of the most amazing conversations with OneMains Chief Risk Officer. For companies, its about balancing the most high-speed, innovative, technical approach with the need forWe have done something incredibly novel and brilliant at OneMain. We split the cyber organization in twosolid security fundamentals. teams: Cyber Risk and Cyber Tech. As CISO and Head of our Cyber Risk team, I have responsibility andoversight of the cybersecurity organizationgovernance, policies, the controls, the cultureand reportI focused on developing strategy, processes and exercises. To me, the exercise program was fundamentalto the CRO. My colleague has first-line operational responsibility for cybersecurity operations, engineering, to get executives to wrap their heads around the potential impact of a cyber event on their businesses.and architecture and reports to the Chief Technology Officer.They needed to feel it in a way that meant something to them as opposed to something being done to them.We are the perfect balance for each other: My love of risk management, people-focused programs, andOur first two-day simulation really paid off. The scenario involved a cybersecurity attack, and our mostprocess development and maturity, to his deep technical expertise and operational experience. We are senior executives had to learn to run on Think: Youve got 10 minutes to give an answer. We put them Page 35 Page 36'