CHIEF INFORMATION SECURITY OFFICER AND CHIEF PRIVACY OFFICER – MARKEL CORPORATION
Original Interview on June 2019
Original Interview on June 2019
Patricia Titus has held many interesting jobs. She began her career stationed in Japan as a morse code operator for the United States Air Force; moved on to the U.S. State Department; raised a family while working in Saudi Arabia, Germany, and Africa; and was the first person named CISO of a federal agency, a title she has held at several Fortune 500 companies.
As Chief Privacy and Information Security Officer for Markel Corporation, a multi-national company specializing in insurance, reinsurance and investment operations, Titus talks honestly about preparing for breaches, having an exit strategy, the importance of mentoring, and her quest to always be better.
When Markel approached you, you had left corporate America and were consulting for the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy. What was it about Markel that pulled you back into the corporate world?
I wasn’t sure I wanted to keep being a CISO. The head of Markel’s IT governance at the time had been given my name as a possible candidate for the CISO role. During our first conversation, she and I talked for a few hours and really connected. I always ask one question when interviewing: “Are you checking a compliance box?” The answer matters because it’s a gauge for how committed the company will be to security and with regulatory law pressing companies to hire CISOs. It can be a check-the-box exercise. Markel’s answer was honest, “Yes, we are checking a box, but it’s a very small one.
Markel was committed to finding a cyber-security expert who could build a program not just for compliance reasons, but to meaningfully enhance their security program. And, they were willing to commit the assets and visibility necessary to do the job. I found that intriguing.
What factors did you weigh in making your decision to go to Markel?
Markel’s culture and commitment were the key factors. The environment at my previous job was not very good, and I had left with my self-esteem and confidence shaken. I found the environment at Markel to be completely the opposite. Everyone I met during the interview process was so genuine, to the point I thought, this is too good to be true. Leaders actually wanted to do what’s right for the company— no airs, no political agenda— and they were genuinely looking for someone to come in and rebuild the entire program.
You identified the head of Markel’s IT Governance as a woman. Did that make a difference during the interview?
I never thought about it until you mentioned it, but I have to say “yes.” I had never been interviewed by a woman for a CISO job, and she was definitely the reason I had the follow-on interviews. It was very enlightening because the conversation was different. She was asking me questions like: “Should we buy this technology or should we wait? Where’s the future of identity and access management going? Where’s this particular discipline going? What are the things that should be in a program?”
The interview was almost consultative. It was as if she was opening the door and saying, “Help us do it better.” There was an element of trust, and as we talked through things, she said, “You are so smart. If you don’t take the job here, at least take the job for six months and come help us.” That, in and of itself, sold me.
What was the mission you were charged with?
Protect Markel's brand, its intellectual property and mostly, protect the company. One of the most important aspects in any company is understanding the culture and what motivates its people. Anyone who knows Markel understands that culture is a very large part of what makes Markel a great company. Our culture is called The Markel Style and it’s not just words on paper. You see it every day when you go to work and in the way people interact with each other in the company. The Markel Style is something we live. It’s ingrained into so many things the company does.
How did you evaluate Markel’s security and make it better?
People. Process. Technology. We are a consensus driven company and there were a lot of pockets of security being done throughout the enterprise in different organizations. I have a 100-day plan and a methodology I have developed over many years, which I use to assess a new organization. I feel performing an assessment is critical. Looking at the company in its entirety, I ask, “What technology do you have - what hardware, what software? Do you have the right people to use the technology? How do you police the process to affect change?”
First thing is to look at human resources and conduct a workforce assessment. I have found there are three-types of people working in security. First are those who are skeptical or cautiously optimistic about a new CISO. They don’t understand your operating model and worry about how they will fit into the new regime. The second type are those individuals who are long-standing employees and have significant loyalty to the company. A new CISO must objectively assess if they have the right critical thinking skills to move the security organization along and, if not, what training will they need. Third types are the flight risks. Their resumes are ready to go and they have the potential to walk out the door.
With retention in cyber security being what it is, it is very important a new CISO is communicating often and directly with the entire team.
If a new CISO happens to come into a company post-breach, the mindset is usually, “Hurry up and do something,” as opposed to, “Take some time and lay out a strategy.” And, it’s all hands-on deck so you may not have the opportunity to invoke a 100-day plan. Another way to think of it would be the difference between building the plane while you’re flying it, versus while you’re on the ground. A security program needs to have a strategy that creates repeatable, defendable processes to further the company’s security culture and program.
My motto is, “Just enough. Just in time.” It doesn’t mean you won’t have a breach or a disruption, but are you practicing what to do when there is a problem? How do you identify it? How do you respond? How do you contain? It’s prevent, detect, respond and recover.
Not everyone is willing to say a breach is likely. That’s pretty honest.
It changes the conversation with your executives, your peers and your board. You are preparing people for the inevitable and running table-top exercises. In the military, we regularly practiced many different scenarios on how to prepare and react to possible threats. Planning to respond to things you don’t know are coming can be a difficult conversation for a company. It’s important to understand that it can, could, and may happen at some point in the life of a company. If you don’t practice, it doesn’t become part of the muscle memory of your brain and you won’t react strategically.
Additionally, how a company reacts if there is a breach can help limit brand damage, and executives need to be aware of how to communicate. It’s very important to know who oversees communication. In any incident, you need to know how you are communicating internally, externally to the board, and shareholders.
On 9/11 you were working for the U.S. Treasury Department as a technical advisor to the CIO. When the planes hit the buildings, one of your first responsibilities was getting secure wireless communications to the crisis management teams. The work you did during the terror attacks clearly influenced your thinking and how you do what you do now.
It was a defining moment that shaped many people’s lives. It goes back to the Girl Scout motto, “Be prepared." I’m still a Girl Scout, and I believe its many defining moments in my life and career that have developed me into the well-rounded leader you see today. My defining moments included living in Saudi Arabia during the Mecca/Medina massacre; living in Africa at the peak of the AIDS epidemic; living through 9/11 near everything that was happening and having to execute plans. All those pieces and parts helped define my style of leadership today.
You took what you learned during 9/11, built out another secure wireless communications for the 2002 Winter Olympics in Utah, and then went on to play a vital role creating a brand-new government agency, the Transportation Security Administration.
TSA was the pinnacle of my career. I was part of the early start-up team, which I liken to an organization of patriots. We had left the security of our jobs to be on the ground floor of a brand-new federal organization. In the TSA environment after the 9/11 attacks, we were so driven and focused on our mission to secure the traveling public. It was just amazing.
By the end of 2002, eight months after you joined, the organization mushroomed from a few hundred people to about 56,000 employees. Your rise was pretty steep, ultimately taking over all of TSA’s information security.
I was the first person to be given the CISO title in the federal government. I started as the wireless program manager securing communications for federal officials at airports across the country. Next, I became the security manager. I kept asking my CIO to make me CISO, which he did. If I hadn’t kept asking, I would not have been given the official title.
There is a flip side however, which is be careful what you ask for. Being the CISO at the TSA, I didn’t realize how powerful the position really was until the day my CIO said, “Stop using security as a weapon.” Security is extremely powerful in a company, so use your power wisely.
Clarify what you mean, “Security was a weapon.”
As CISO, I had been given the power to stop programs from moving forward based on risk assessments. These programs and applications were needed to advance our mission. And, of course, I wanted it as secure as we could make it and fully hardened. I wanted it all to be perfect and if it wasn’t perfect, I wouldn’t sign off on it going live. Because we were a new organization, I wanted zero risk. I realized as the expert, I had the power to say, “Don’t do it,” and they wouldn’t.
Yet, think of the consequences for not deploying capabilities. The US experienced planes flying into buildings, and I had to learn to operate my security program based on risk management and risk appetite. It’s not just a zero-sum game, and this is a lesson I have carried with me throughout my career. Use the power of authority to manage risk and help the company understand the level of risk they are taking.
Are you now more comfortable making decisions when you’re only 90% certain?
It’s more like the 80/20 rule. 20% of your activities will account for 80% of your results. For example, we lived through Y2K. (The Millennium bug. Leading up to 12:00 AM, January 1, 2000, governments around the world launched a massive effort to implement new software, fearful older systems would not properly process ’00 digits, thereby resulting in a global meltdown). The things we thought were going to happen never did. Did they not happen because we planned so well, or because they weren’t going to happen anyhow? It’s the 80/20 rule.
Companies need a good risk-management strategy and a way to tier the criticality of their data based on its value. Not having this strategy could mean they’re investing too much or too little in protection capabilities. I’ve seen many CISOs get to a new company and go like gangbusters and before you know it, they get fired because the company can’t handle the cyber-fatigue. With security, you must find that delicate balance of “just enough, just in time” security.
How has your leadership style evolved over time?
I had a career/life changing moment on how I lead people, after the US government sent me to the Center for Creative Leadership. Leaders need mentoring and training. I believe most people don’t ask for help enough, and especially women don’t ask for it, because they’re afraid they may be viewed as being weak or less skilled. But if you don’t ask for help, then those weaknesses become ingrained and your career can be derailed.
How did it change?
My move to the top was pretty quick. Once I got into the executive ranks, I was a little bit full of myself, to be frank. I felt I had to be a man to do a man’s job. I honestly lost touch with my identity and was neither self-aware nor particularly humble. I was the person who would bring a group into the room and chew them all out. Maybe they needed it, but there are better ways to achieve success, as I learned. I thought I had to redo everybody’s work because I wanted perfection and thought it wasn’t good enough for me to put my name on it. I was stressed out, close to burnout, making myself ill, and making others around me unhappy.
The Center for Creative Leadership was yet another defining moment. I learned you can’t control everyone around you. The only person you can control is yourself. I had to relearn how to be self-aware, to realize I was not treating people fairly. I had convinced myself that everyone else was the problem. I had stepped so far out of myself, I had to find my way back and learn to be a good leader.
You say you felt you “had to be a man to do a man’s job,” when the more accurate description should be this is a job and I’m the most capable person to do it. Did you have a good support network of women?
There are women and men who pushed me, told me I could be more, do more, and helped me see what I couldn’t see - my potential. They also helped instill a level of confidence in me that I didn’t have.
The Executive Women’s Forum (EWF) was where I began to build my women’s network with women who remain my friends today. I could and still do pick up my phone and say, “What are your ideas?” Having the ability to reach into a group of well-established women in your field - going through the same challenges and issues - is extremely helpful. But, the men who have been supportive in my career have also been necessary. It’s not easy to maintain your support network when you’re working so hard all the time. But it is vital to your sanity to have peers to lean on for support. I also find that being a mentor is critical and helps you not only give back but expand your network.
What is your advice to women who may feel, for whatever reason, they’re not “good enough” to do a job.
When someone asks, “Am I going to be successful,” whether you have a degree in computer science, or are a mom coming into the workplace, I want to know how your skills equate to your aspirations.
First, ask yourself, “Am I the right fit for this job? Am I going to do it well?” Next talk to others in the field about the skills you need to be successful and build a plan. It’s important to define what your weaknesses are, what skills you might need to develop and, ultimately, what training you may need.
I’m a “tough love” kind of person and we all get to make our own choices. So, when something doesn’t go according to plan based on the choice you made, don’t focus on the negatives. You need to challenge yourself to identify what you learned from it. I’ve been fired a few times and I could have spent my time having a pity party. But instead, I turned it around, so I could really try to understand what I learned from that challenge and how it made me a better person and leader as a result.
Men see getting fired as a rite of passage, women as a badge of shame.
The differences between men and women being fired, in my opinion, is women internalize it, while men just put it in a box and move on. My recommendation for anyone in any company is have an exit strategy. Some organizations are more stable than others, but all CISOs are vulnerable to one degree or another. Thankfully for me, Markel is the kind of company where long careers are not uncommon. But we must be realistic. CISO’s are the first to be fired in the event of a breach and you need to be prepared for it, especially if you are the sole breadwinner for your family. This is when the investment you’ve made in networking and building a support structure is going to get you back to True North. Security people have so much to give and so much to offer. You will not be unemployed for long unless you want to be.
You held many jobs and have had an exceptional career, let’s talk about some lessons-learned. You’ve been at Markel for more than three years now. Biggest take-away?
While I’m not an insurance expert, I do need to understand what our business does so I can provide enough security. I must have an understanding of how we collaborate cross-functionally, to deploy capabilities to protect the company.
You left the government in 2008 and joined Unisys, the global tech company. What were some of the lessons learned?
It’s not easy to leave the public sector and go into the private sector. In the public sector, your value is based on the government system, so you don’t really know what you are worth in the marketplace. Unisys allowed me to work with their corporate offices and understand how the corporation worked. I think this was a huge benefit.
A few years later, the CEO of Symantec reached out to you and offered you the CISO role, a huge opportunity to work at the world’s largest cyber-security company.
Symantec was a great opportunity to experience a fast paced, hi-tech company doing development work in other countries. This is when I learned that there are cultural implications to deploying technology in a global corporation, and you must think about those impacts. Honestly, this job helped me to stop thinking like an American and to start thinking globally.
Your next CISO job was at Freddie Mac, a private company, which at the time was under government conservatorship.
Freddie Mac was one of the companies where I learned many valuable lessons about leadership and management. It taught me how critical it is to be organized, build a program based on an industry framework, and create repeatable, defendable processes.
Both Symantec and Freddie Mac, ultimately were not a good fit. After leaving each organization, you took time off and traveled: Australia following Symantec and New Zealand following Freddie Mac. Each break allowed you to come back stronger.
Yes, I needed to think about what I wanted to do with my career. Being a CISO is a tough job and I didn’t know if I wanted to keep putting myself in vulnerable, risky positions. Over the years, I had become an adrenaline junkie. I liked working 24x7. I liked the complexities of the problems that I had to work through, but how healthy was that?
I had been in the security field continuously for 20 years and I think I was burned out. I needed to hit the reset button. At this point I couldn’t see the forest through the trees. Walking through the Australian bush gave me time to think through moments in my life. You recognize the value you bring, the things you leave, the people you worked with, the people you mentored, the lives you’ve touched, the words someone puts on paper about you, the impact on your profession, and how the work you did furthered that movement.
I had negotiated a good exit strategy, so when I came back, I was able to take time and think about what I wanted to do next. When you are leaving a company, you must negotiate a good severance deal.
I’m now in a great job at Markel. I’ve built a high-functioning team and I have time to get into strategy, financial planning and get involved in philanthropy. Recognizing my tendency to be an adrenaline junkie has helped me find a better balance in my work and personal life.
In sum, what is your best advice both in a career and in life?
Career—when you are in a position of power, use it carefully and thoughtfully.
Listen, learn, and ask for what you want. In my career, if I hadn’t asked for what I wanted, I would not have been as successful as I have been. Take a risk. Sometimes that risk pays off in undefined dividends. Also, as I’ve gotten older, I find myself standing a little further away from the edge of the cliff.