CHIEF INFORMATION SECURITY OFFICER, ONEMAIN FINANCIAL
Original Interview, September 24, 2020
Original Interview, September 24, 2020
United States Air Force veteran Michelle Valdez spent her earlier career at DOD, DNI and DHS, and ultimately helped build information sharing relationships between critical infrastructure companies and the government. She now holds the role of Chief Information Security Officer at OneMain Financial. In her interview Michelle talks about the future of risk management, lessons learned from the Capital One breach, Election Security, and how the worst advice she ever got helped catapult her to success.
It’s no small feat getting private companies to share sensitive data with the US government. Michelle Valdez has the gift. The US Air Force veteran spent her earlier career at DOD, DNI, and DHS, ultimately building information-sharing relationships between critical infrastructure companies and the government. These programs helped to grow information sharing and analysis center (ISAC) capabilities for all the sectors. Having transitioned from government to the private sector, the ISAC model has paid off in a big way.
How did you initially get involved in Cybersecurity?
I was a Special Agent in the Air Force Office of Special Investigations, like the FBI or NCIS but for the Air Force. After 9/11, I switched from crime to terrorism then one of my former commanders reached out and asked me to help build a single cyber crime organization for the Department of Defense. I laughed saying, “I don’t know anything about computers.” He told me he needed my help building and branding this new cyber crime center.
It took us about a year to break down all the various stovepipes and rebrand the organization as the Defense Cyber Crime Center (known as DC3), one of six National Cybersecurity Centers. It was during this time, we saw a shift from computer crime to cybersecurity, as our foreign counterparts sought to exploit information from us.
One of the greatest lessons of 9/11 was the importance of sharing information between agencies. Cyber had similar growing pains.
The cyber community had to go through exactly what the terrorism community had been through a few years earlier. At DC3, we were meeting with the Defense Industrial Base (contractors who work with DoD) and critical infrastructure companies, figuring out how these companies could work together against a common cyber adversary.
Being highly competitive, these companies initially had a hard time sharing critical information about their vulnerabilities with each other and with the government. I had just lived through this: US Intelligence agencies not speaking to one another. 9/11 changed that. We created the National Counter Terrorism Center as a way to share intelligence, understand the terror threat, and see the big picture. The same now had to happen in cyber.
Did the people in charge underestimate the threat?
At the time, companies really thought they could do this on their own. They didn’t think they needed to work together. They had their own teams, their own technology, and felt they could protect their company. The reality is that companies are so interconnected, sharing vulnerabilities, when one gets attacked it jumps to three other companies. Over time, sharing began to improve within and then across sectors. The Defense Industrial Base and Financial sectors lead the way. Fast-forward to today, the same people say the only way we can get ahead of the threat is if we do it together.
Are the Government and private sector now sharing information the way they’re supposed to?
It’s like night and day from where we started back in 2005. We are sharing way more than we ever did. The creation and evolution of Information Sharing & Analysis Centers, ISACs, has really helped critical infrastructure sectors. The Financial Sector ISAC has been doing it longer and has some really sophisticated mechanisms in place, including highly trained analysts on staff looking at all aspects of cybersecurity and cyber resiliency; there are also working groups from policy, to tabletops, to technical threats.
The Financial Sector ISAC has been doing it longer and has some really sophisticated mechanisms in place, including highly trained analysts on staff looking at all aspects of cybersecurity and cyber resiliency; there are also working groups from policy, to tabletops, to technical threats.
Other ISACs don’t yet have as many formal mechanisms in place. They don’t have the same level of funding or resources. A lot of initiatives are being developed to close the gap and put everyone on equal footing, so it’s not a pay-to-play barrier of entry.
On a scale of 1 to 10, when it comes to sharing information to reduce risk, how is everyone doing?
I would say 7 - the reason is, the quality of our technology is only as good as the data it has. Companies are now less afraid for people to know what’s happening to them and share that information. Even the government has changed its approach. In the past FBI and DHS information would have been classified because they were worried about sharing sensitive intelligence. Now, instead of the whole report being classified, one line may be redacted, and the rest can be shared to help companies better protect themselves.
Covid-19 is a perfect example. Every company found themselves in the same situation: A massively increasing attack surface and bad guys attacking indiscriminately. Companies were sharing indicators of compromise across sectors, along with tactics to identify the threat quickly, lock things down, and set up best defenses and responses. None of that happened 15 years ago. It wasn’t until after 2010 that things really started to take shape and you saw different sectors setting up analysis centers and sharing data..
Unfortunately, we are still behind the threat, in part, because we operate in businesses and businesses have rules and laws and regulations. Bad guys don’t.
DHS has designated US Elections as critical infrastructure, warning an attack could have significant consequences on the nation.
Most citizens, even to this day, still don’t understand the depth of manipulation. Regardless of who is in the White House, we know external countries influenced our 2016 elections in a way that had a major impact on our country and its citizens on many different levels, including national security and defense.
That’s why in September, before the elections, the FBI and DHS came out with an alert telling companies and the public: This is going to happen. You should be aware of it.
Your last government job, after DOD and DNI, was with DHS. How important was that job?
100% guarantee I would not be where I am today if it were not for that role. I got the unbelievable opportunity to interact with CEOs, CIOs, CSOs, CISOs, CTOs of major companies across every critical infrastructure sector. My job involved building a framework to convince companies to share indicators of things happening on their network so that DHS could have this big, huge view of all of the activity that was going on, and activate their intelligence capabilities to try and predict what bad guys were doing, who they were going after, and help other companies prevent these same attacks on their networks.
At the time, there was a definite concern the next terrorist attack was going to be a cyber attack connected with a kinetic attack. The fact this program still exists and has had such an impact on the country is really cool.
You left Government and went into the private sector, first to Capital One and then OneMain Financial.
When I said if it were not for DHS, I wouldn’t be where I am, it’s true. You form a bond when you convince executives to share critical data with the government. One of the CISOs I’d worked with recruited me and gave me the opportunity to build Capital One’s cyber resilience program from scratch. I was terrified. I’d been in government my entire career, where it can take up to three years to implement even the best ideas.
The private sector has a completely different culture. The big difference: speed and trust. My driving force is a desire to implement things. At Capital One, my boss told me, “You’re the expert. Go build it.” I had a budget, was able to make decisions, hire someone, and three weeks later have that person already building what I needed.
One of the quotes on your profile is: “The two most important days in your life are the day you are born and the day you find out why.” Is the “Why” when you discovered your passion for cyber resilience?
Yes. I was attending a Resilience Management Model course when I had my career “Aha!” moment. I had spent my entire career largely focused on the threat. Resilience is the balance: adapt and recover. Most problems are people or process problems and much of my career has been understanding the root cause of a problem and trying to fix it.
Cyber resilience is about building something to minimize the impact, regardless of what causes the disruption. If you can get that puzzle right then it doesn’t matter what somebody tries to do to hack away at it, they're not going to take you down completely.
There’s a saying, “You can’t build a castle on shifting sand.” I’m the one who puts the foundation in place so that the castle can stay standing and be resilient and withstand anything that comes at it. That to me is cool. It’s true problem solving.
What was the greatest challenge when you arrived at Capital One?
Capital One is a big, beautiful, innovative castle. They have the best developers and technology in the world working every day to make the digital experience even better for their customers. The whole company is built on data. I joined in 2015 to build a cyber resilience program and really mature our foundational processes. For companies, it's about balancing the most high-speed, innovative, technical approach with the need for solid security fundamentals.
I focused on developing strategy, processes, and exercises. To me, the exercise program was fundamental to get executives to wrap their heads around the potential impact of a cyber event on their businesses. They needed to feel it in a way that meant something to them as opposed to something being done to them.
Our first two-day simulation really paid off. The scenario involved a cybersecurity attack, and our most senior executives had to learn to run on Think: “You’ve got 10 minutes to give an answer.” We put them through the most uncomfortable moments of their lives as they figured out everything they had to do. You make them feel it and realize the business impact and all of a sudden people become advocates for your cybersecurity budget.
The cybersecurity community has a saying: There are two types of companies. Those which know they’ve been hacked and those which are about to find out. Capital One did get breached in 2019 when a hacker gained access to 100 million credit card applications and accounts.
That is very true. Our adversaries are always evolving and improving their capabilities. The cybersecurity community has to do everything it can to stay ahead and maintain the advantage. However, there is no perfect solution and so it becomes a matter of time. The key is ensuring you have solid response and recovery processes in place to minimize the impact of an attack. Any company that has been through a breach will tell you, the response is extremely difficult and all-consuming. Everyone was all working crazy, long hours. We were in crisis mode but the camaraderie and collaboration got us through it, along with the company’s demonstrated ability to make quick decisions. Most companies that go through a major breach, usually come out with even better programs based on all the lessons learned.
Not long after, you were named CISO for OneMain in January 2020.
I had convinced myself over the years that I could not become a CISO. The long hours, middle of the night incident calls, and major stress were not things I was sure I wanted to sign up for again. I had already worked many incident responses in my counterterrorism days. Then a recruiter reached out to me with a job description for OneMain that seemed tailor-made to what I’m passionate about. One of my mentors, who was in her first role as CISO, told me, “Just talk to them.”
I had one of the most amazing conversations with OneMain’s Chief Risk Officer. We have done something incredibly novel and brilliant at OneMain. We split the cyber organization into two teams: Cyber Risk and Cyber Tech. As CISO and Head of our Cyber Risk team, I have responsibility and oversight of the cybersecurity organization—governance, policies, the controls, the culture—and report to the CRO. My colleague has first-line operational responsibility for cybersecurity operations, engineering, and architecture and reports to the Chief Technology Officer.
We are the perfect balance for each other: My love of risk management, people-focused programs, and process development and maturity, to his deep technical expertise and operational experience. We are both driven to execute. We have two separate teams but work in close partnership to lead our Cybersecurity Organization, both of us sitting at the table, looking across the entire cybersecurity spectrum of people, processes, and technology. I do think a more risk management focus will be seen in more and more CISO roles going forward.
You are at a great point in your career. What sort of mentors did you have?
Early in my career, I had a lot of male mentors, most of them military leaders with whom I’d served. I asked them to mentor me, then carefully managed the relationship. They were amazing people with very busy schedules, their own careers, their own teams, and their own lives. They were willing to tell me things I needed to hear versus things I wanted to hear.
One of my very first female mentors worked in the White House. She was considered the nation’s foremost leader in cybersecurity. To have a woman revered as America’s top cyber expert, take time to talk to me, a junior person in a different agency, was really pivotal for me. It’s when I realized, not all the women were like the ones I’d previously engaged with. It opened my aperture to seek out more female mentors to learn how to navigate in a male-dominated field.
What was the best piece of advice you got from a woman?
The best advice I got from a woman was really bad advice and I set out to prove her wrong. This woman was incredibly accomplished but extremely difficult to work for. As she was leaving her role, I asked for advice thinking she was going to say something like, “I know I’ve been hard on you but…I think you’re going to do great things.” Instead, on her way out the door on a Friday night, she dealt the parting blow: “You are never going to be anything more than a secretary, so don’t even try.”
I was devastated but after taking the weekend to grieve, her words lit a fire. I thought, “You’re so wrong; I actually am going to have an impact. I can achieve the things I want to achieve and become a great leader, and who are you to tell me I can’t.” It was the most empowering moment of my career. I now tell people, the only person who can tell you you’re not going to achieve is YOU. The other piece of advice I give is, the only time you run into obstacles in your life is when you lose sight of your goals.
Best advice from a male mentor: “The grass is not always greener. Sometimes it’s just green.” Leaving is easy. Staying is hard. Don’t jump because you had a bad day or because you feel you’ve failed. Make sure you are truly going to something that is more challenging, more exciting and makes you a little scared. Know when it’s time to leave and leave for the right reasons.
What kind of advice do you give to young women now?
Beware of listening to your inner voice of doubt. It will tear you down. We all have those moments where we really start to doubt our ability to be successful. When that happens, let your actions reflect what you are capable of doing. Another is, seek out multiple mentors. Listen and learn from them. Be willing to hear what you need to hear, not what you want to hear.
And finally, the golden chalice: how do you handle a work/life balance?
A few years ago when I was still in government, I realized my ambition was literally killing me. I had been diagnosed with the medical condition Fibromyalgia and I had to ask myself, “Is it really worth it?” I had to stop what I was doing and start making decisions to take care of myself, physically, and psychologically. Without that, nothing else matters. I also had to get comfortable accepting that my life had fundamentally changed and that I had to assess what was most important.
I subscribe to the philosophy, “Put your big rocks into the jar first.” If you don’t, nothing else will fit. My marriage is everything to me. My big rocks are having time with my husband and my dogs. When I go home at the end of the day, I’m going to turn off and unplug. If someone really needs to reach me they know-how; and they should do the same. It was an agreement my husband and I made because he’s also an executive in a successful career, and also works long hours. We had to force each other to do it.
The advice I always give people about work-life balance is, ‘You’ve got to own it. Don’t expect your boss or your company to give it to you. You need to set guardrails for your own life and know what is most important to you. Take time off when you can. Take flex time. Work a half day. Turn off whenever possible. I have seen women who have kids, let this career field destroy them. It breaks my heart. We feel we have to work longer hours and do everything we’re asked because we’re worried our employers will use the fact we have a family as a reason to keep us from getting ahead. Learn how to say NO and set your own boundaries.