1 5 月, 2024

EP 51 – Balancing Innovation and Security in FinTech

In this episode of Trust Issues, host David Puner interviews Eric Hussey, SVP, Chief Information Security Officer (CISO) at Finastra, a leading provider of financial software solutions and services. Hussey shares his insights on the evolving role of the CISO, the challenges of keeping up with new and evolving cybersecurity regulations, and the importance of balancing innovation with security in the fintech space. He also discusses how identity factors into the equation, mentioning the importance of identity security in the future of fintech and banking, and the need for frictionless enhancements in identity security. Hussey also talks about his career path, AI’s emerging and evolving role in cybersecurity, and the importance of good governance and risk management in prioritizing security concerns. 

[00:00:00] David Puner: You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

With consumer expectations pushing further and further into digital, the financial services sector has had to meet the demand and is transforming how they do business. Banks and financial service organizations worldwide are digitizing legacy platforms, accelerating cloud migrations, and investing in emerging technologies like AI and IoT to increase agility.

This unprecedented change also means unprecedented opportunities for cyber attackers looking to turn these innovations against the organizations embracing them. Helping these organizations innovate are their fintech partners, and within the fintech world, the role of chief information security officer, CISO, is becoming increasingly important.

Balancing the need for innovation with the need for security is a delicate task that requires a deep understanding of the industry and its challenges. And that’s a topic – among others – that we explore with today’s guest, Eric Hussey, who’s the CISO at Finastra, a leading provider of financial software solutions and services.

Eric brings a wealth of experience to the conversation, having worked in CISO roles for over seven years at companies including Aptiv and PTC. He shares his insights on the evolving role of the CISO, the challenges of keeping up with new and evolving cybersecurity regulations, the importance of balancing innovation with security in the fintech space, and how identity factors into the equation.
Here’s my conversation with Eric Hussey.

[00:02:03] David Puner: Eric Hussey. CISO at Finastra. Welcome to Trust Issues.

[00:02:09] Eric Hussey: Alright, Dave. Thanks a lot for having me.

[00:02:11] David Puner: Thanks so much for coming on to the podcast. To start off, you joined Finastra in October 2023, so not all that long ago, but for way of background, of course, Finastra is a financial provider and software solutions provider and systems provider to banking and financial service providers and the company services for over 98 of the world’s top 100 banks, among lots of other institutions. So, no big deal there. And you’ve been in the CISO game for quite some time previously with Aptiv and PTC – over seven years as a CISO collectively at this point. What’s your career path been to CISO? And what’s the scope of your current role? Are you focused more on customers and clients or internally or both?

[00:03:05] Eric Hussey: Before CISOs were called CISOs, we were called something else, right? So, if you take in those responsibilities, you know, it was very interesting for me – I would say I’ve been very fortunate in my career that my first CISO job was at age 32 in a Fortune 500 company called UNFI after I departed 12 years at FinTech.

So, I’ve effectively been leading in this space for, let’s see, we’re going on 10, 11 years at this point. So, this is my fourth time in the spot. If we count that, that other role that wasn’t necessarily branded the CISO, but it had all the roles and responsibilities. So, you know, for me, fourth time in the seat, you know, I’m back in FinTech.

So, I’m really, really happy about that. I spent 12 years of my career starting off in FinTech, which laid the foundation for me in my career to ultimately navigate into a CISO role. But I would say that power of mentors, young in your career – and you’re coupling that with your appetite to learn – put in the hours, grind and have some grit to persevere through some challenging times in the industry.

As you grow up in the industry, you have to push through, you have to put the time in and that time ends up paying off dividends if you have start with the appropriate foundation. So, my appropriate foundation for me, I started off in security engineering. I was fortunate to come out in the dot-com bust and I made my way up into the FinTech industry.

Fortunately, someone took a chance on me when they could have selected many other candidates in the space given the, I would say, the macroeconomic conditions of the United States economy in that time and the global economy. But, I was very, very fortunate to kind of move my way up that way.

[00:04:45] David Puner: How does the CISO role now compare to what it was back when you started in this path or down this path – the simpler times of yesteryear, like the 2016s and that kind of thing?

[00:04:59] Eric Hussey: Yeah. I mean, I would say when I was first starting off, I think we’ve heard this many times in the history, but it’s very, very true – and some CISOs either make the pivot or they don’t make the pivot – but it started off as more of a technical role, but that’s had to evolve.

And frankly speaking, while I still do have an appreciation for the technology aspects of my day-to-day – I really do enjoy being an enabler for the organization in which I work. I have this saying in my organization, and I tell it to everyone on my team: “You’re a business executive first, you just happen to work in cybersecurity.”

Right. And that’s how we should be thinking about our day-to-day, is how do we enable the business? How do we sit in each and every role that we interact with on a day-to-day basis? You know, most of my career has been spent in FinTech, collectively, and software organizations. Those are usually more challenging organizations to navigate the value that’s created. It’s created by developers interacting every single day to create a software product, which is, at the end of the day, a great combination between art and engineering.

So, how do we weave in cybersecurity into that fabric in which we can aim a high productivity safely and securely as well? So, that is part of the challenge.

[00:06:11] David Puner: You’re about six months into being Finastra’s CISO. So, you’re still relatively new to the company, obviously. What’s it like stepping into a role like this at an organization that was new to you?And what are the first things that you tackle when you jump into such a large role?

[00:06:27] Eric Hussey: Yeah, so my first CISO job, I came across a consultant who has now become a great friend of mine over the years. And he was exceptional around framing, I would say, approaches to all kinds of business challenges. But one thing that always stuck with me was a plan that we put in place.
It’s a three-step plan. It’s called: “Understand, assess, initiate.”

[00:06:50] David Puner: Okay.

[00:06:51] Eric Hussey: That is how I go into every type of role, every type of situation, in any professional setting, but in parts of my life as well where you’re new at something, right? So, that’s what it’s been like at Finastra. And that was, frankly, part of my pitch when I was interviewing as well is – everybody wants to know about what your first 90 days look like.

It’s understand, assess, initiate. And I recognize that there’s a saying that my father used to say to me as a young man was, “Keep your eyes and ears open and your mouth shut.” That is very, very important basic life lessons that help you go into an organization, understand, be patient, come up with a plan that is not my plan, but is a plan to secure and enable the organization collectively.

It’s a company plan built by company people, right? So, it’s not just a cyber plan. It’s a cyber plan that’s happened to be built by the entire organization. So that’s how I approach stepping into these new roles. Finastra has been nothing different.

[00:07:52] David Puner: So, you’re not coming in guns a-blazing?

[00:07:54] Eric Hussey: No, no. I think a lot of us who have been in the area have been inthe cybersecurity field or technology field, or in any field, frankly – as an executive, we’ve had those unpleasant experiences throughout our career where we’ve seen certain leaders come in, leave a path of destruction and they’re gone two years later – and the collateral damage is significant. Now, we’re going to measure twice, cut once – that is going to be the ultimate path towards success and the one that’s proven to work out very well by me over the years.

[00:08:22] David Puner: So, while you’ve been working through this, understand, assess, initiate process in your first six months, anything super surprising come up? What have you learned in your first six months?

[00:08:34] Eric Hussey: Generally speaking, right, this is my fourth time in the slot. There hasn’t been a lot that I haven’t seen. One of the reasons I wanted to get back to FinTech was, number one, I love software products.

Number two, I like securing the movement of money. That’s really, really important to me. There’s a ton of innovation in FinTech right now. But most importantly for me, one of the things that I really like and it’s refreshing being back in FinTech, because it brings me back to all those days that I started in my early careers is – how do we balance innovation with regulatory compliance and security?

How is that, right? In many ways, it’s like blending oil and water. But that is part of, I would say, the challenge is, how do we move quickly, safely and securely to deliver cutting edge products to our customers, but at the same time, make sure that we’re meeting regulatory compliance requirements in the same sprint, so to speak.

So, nothing really new for me, just happy to be back. We don’t usually get six months to put together a plan. Especially when, you know, when certain CISOs are hired. You know, for me, most of my experience when I have left FinTech has been, we need help to come in and help fix or build, right? So, I tend to move very, very quickly.

But for me, one of the bright spots of joining Finastra – I think that is that I haven’t necessarily seen as prominently in other organizations that I worked in – is there’s truly a top-down management commitment all the way from the CEO down to the individual contributor level on the company. They want to know about security. They value my opinion. They’re here to help me move the agenda forward in the best interest of protecting shareholder value and our customers. So that’s critically important and it’s something that I very much appreciate because it’s not present in every organization.

[00:10:24] David Puner: You did mention, of course, securing the movement of money, which I think is obviously key to what you do and really interesting.

How do you approach the challenge of keeping both your customers and their consumers (or customers) safe in the FinTech space?

[00:10:40] Eric Hussey: You know, I’ve worked my entire career in cybersecurity. It’s given me a lot of different perspectives. Like I’ve seen a lot of success, but I’ve been pre- and post- in organizations where things have gone wrong. There’s a saying, I always say, “Do the common things uncommonly well.”

As basic as that is, that is the reality. I think that for us to do common things uncommonly well, the challenge there is that with the proliferation of technology, we have much more variety than we ever have before. The pivot from waterfall to agile has only put more pressure on us delivering faster.

And with that said, we’re delivering faster with a growing attack surface. So that is the challenge is that the things that we were striving to do well 20 years ago, we still have those type of things today that we need to do well. And most breaches are predicated upon the simple fact that the basic things were not going well in some of these organizations, right?

So, if we think about the basics and we think about things like vulnerability management, right? As much as I don’t want to talk about those kind of things because I’ve been talking about them for 25 years, it’s still a challenge. It’s still an absolute challenge to make sure that your vulnerabilities are cleaned up continually. Vulnerabilities are like open milk – the minute you open, it begins to spoil, right? Our software products need to be secure when we get them out the door and they need to be always secure. Privilege access management, right?

We have more technology sprawl, we have more identities now than we ever have before that we need to manage across on-prem cloud systems, serverless compute, what have you. There’s identities everywhere right now, so we need to secure those. So, the challenge has relatively been the same, but how do we think about – as we move forward – is the problem has borderline become challenging to manage as is. So, we’re looking at new opportunities, like how are we leveraging more platforms over point solutions? How are we leveraging more artificial intelligence to deal with this problem more real time? Because we’re starting to outgrow some of the techniques that we used to use in the past.

[00:12:42] David Puner: Where does AI factor into your priorities and how much of your strategizing involves thinking about it – both defensively and as a business enabler?

[00:12:51] Eric Hussey: As a business enabler, I think that it’s table stakes right now that as a product company – specifically a digital product company –AI is something that you need to have somewhere, somehow incorporated into your product strategy.

But I think what’s important is it has to solve real business problems – not just the buzzword. It’s a tool that allows us to solve a problem more elegantly, quicker, has a good return on value or a good return on investment for the customer. So, when we look at products, there has to be a real business case to go with AI.

We don’t see it as just another buzzword. It is a real business technology advantage that we can fully exploit. If we take that internally to cybersecurity, how do we use it? We look at it as, “How can we leverage AI to rationalize our privilege access management and our identity user access reviews? How do we do that, not only on a monthly basis or a quarterly basis?” Many companies have different cadences on when we do this. How do we do it real time? And then how do we take action based upon the output to ensure our security controls go more to a real time posture – rather than something that we do every 30 days or a quarter.

So, as technology moves quicker, security has always struggled to keep up. We always talk about being one step ahead.

[00:14:13] David Puner: Right.

[00:14:15] Eric Hussey: Frankly speaking, that is very aspirational compared to what we see in reality. For the first time in a long time from a technology perspective, AI is something that I’m very, very excited about.

Even when we talk about software development and we detect vulnerabilities, we’re injecting suggestions right now, right to the developer on how they can fix the vulnerability on the fly. I think we’re getting to that point right now where AI needs to prove itself out a little bit more in terms of efficacy.

But then how do we, again, flip the switch on artificial intelligence and have it start dealing with things in an automated fashion? Because AI becomes smarter than the human, right? So, I think that’s where things are starting to go. We’re starting to talk about automation. AI enables us to more intelligently automate in the future, I think is where things are going.

[00:15:03] David Puner: So, when you look at AI and the problems that it solves or the problems that it can solve – but then you look at the other side of the double-edged sword, of course, and the problems that it can and is creating from a threat actor standpoint – how do you balance the two? Or do you just look at those two sides of the sword separately?

[00:15:24] Eric Hussey: The good guys aren’t the only ones that have artificial intelligence, obviously, right? So, how do you balance? Well, that is the million-dollar question: how do you balance? Those are actually coming in at six months – being at Finastra – those are top conversations that we’re having in the organization right now of, “How do we embed this in the areas that are of most critical importance to protecting our organization first, so we can get ahead of it?”

With that, to realize the promise of artificial intelligence – really realize it – you have to have really exceptional people that are working side-by-side that understand the technical aspects of the job, but also understand the business aspects of the job, too and what’s important. That’s one of the great things about being in Finastra – and frankly back in the FinTech industry – is that there is a lot of, I would say, regulatory oversight, which, in many cases, a lot of CISOs may not enjoy that. I do, because it keeps the conversation very much right at the highest level of, “What are we doing today? What are we doing tomorrow? How do you get from point A to point B? What are the plans to do so? Did you fulfill those plans and actually get the values that you were intended to get?” So, that is critically important for me – is that keeping the conversation always top of mind, to make sure that when we talk about things about AI, that they’re just not another buzzword.

We actually can use it – not in talking – but we’re actually delivering on what we said we’re going to deliver on. And I think that’s the tough thing to do, but that’s the great thing about being back in FinTech and being in a – I would say – a more regulated industry with a heck of a lot more governance internally is, you put a plan together, you’re going to have top down support, but you got to deliver as well. Right? And that’s what I love about being back in FinTech is we deliver.

[00:17:17] David Puner: So, while on the subject of FinTech, what can secure transactions tell us or reflect about overall cybersecurity and identity security?

[00:17:26] Eric Hussey: Well, so I, I think it’s no surprise that, let’s say identity fraud is top of mind. And we’ve seen a lot of great innovation in identity, identity protection and fraud prevention.
That is a topic that is of paramount focus and concern for any organization that has any type of digital product. I always say in financial and FinTech, there’s one thing that people I think are very, very passionate for on a day-to-day basis is, do they have the money to live, right? And do they keep track of that?

I know you and I, we probably get up, a few times every week and in the morning and, “What’s our bank account balance look like?” Well, people care about money, right? Because it’s a means to live. When we think about that, we also know that if it’s a means to live, it’s probably a heavily-attacked sector in terms of threat actor priorities because there’s money there.

It’s easy to monetize on some of this, right? But unfortunately, a lot of those monetization efforts come at the expense of consumers becoming [inaudible]. Again, this is something I coach my team on – putting yourself ultimately in the consumer’s shoes. What are the things that we’re doing? What are the things that we need to do very, very well at speed to ensure that our consumers are protected?

Because our consumers could be our friends that we just don’t know. Finastra’s solution is the backbone for how they’re completing their financial transactions and in helping keep their financial livelihood intact day to-day So, that’s really, really important is to think about the end consumer in this. We’re doing a lot of things – and I talk about this – do the common things uncommonly well. It’s easy to talk about doing a lot of different things. It’s often very, very difficult to do it sustainably well.

So, that’s what I focus on because, at the end of the day, that’s what causes these breaches to happen is a lapse in security effectiveness. And that’s what I’m here to try to make sure it never happens.

[00:19:18] David Puner: So, putting yourself in the consumer’s shoes, that brings us to UX – user experience. How is what you do influenced by UX and how do you balance UX and consumer safety and security and how does identity management factor into the equation?

[00:19:35] Eric Hussey: Yeah, I mean, that’s crucial. UX is everything and this is something, again, it goes back to the saying, “You’re a business executive first.” You have to put yourself in the shoes of the consumer or the internal employee. Security, in many cases, has to be as frictionless of an experience as possible, or will become an impediment to productivity and people will work around it.

Consumers will work around it. Your internal employees will work around it. When it comes to identity, identity is no different. There’s a lot of capabilities out there today where we can intelligently look at and prevent credential stuffing attacks. We can implement concepts like softlock, which is simply what we experience if we type our password in too many times to our iPhone – it just incrementally increases. We can look at things like recapture. We can look at things like web application firewalls to stop credential stuffing attacks that are very predictable in its pattern. There’s a lot of things that we can do to help protect against consumer identities.

The space is obviously evolving, right? So, as I get back into FinTech – I would say after 12 years of being out of FinTech – I’m learning as well. And that’s part of the exciting part of joining Finastra is there are things I haven’t had to think about in quite a while. But there’s also perspectives I bring to the table, having worked in other companies that might service the Department of Defense – that the FinTech industry isn’t thinking about.

So, that is the value. I think that different perspectives bring to the cybersecurity community is that it’s always good to have outside perspectives in different ways of looking at solving challenges, not only for basic security hygiene of your systems internally, but in the consumer’s perspective.

So, consumer perspective is top-of-mind – it’s going to be top-of-mind. There’s a ton of innovation in the space right now, particularly as we talk about things like real time payment. The continued emergence of crypto, right? I think we’re going to see a lot more innovation there. We’ve seen the ups and downs of crypto price valuations. Right now we’re at another peak and now we’re starting to see a lot more innovation in the space. How does that transform the banking sector long-term? Does it transform it? Does it sit as a sidecar? I mean, anybody’s guess, right? For those of us that have been in crypto for a long time – I’ve been in crypto for many years – and, in many ways, I think that we’ve seen some innovations come out of the fact that crypto has been there. Crypto was great for fairly inexpensive, real time-ish payments, but now we see the emergence of things like Zelle and Venmo – those things weren’t there. Maybe crypto was the catalyst to facilitate those technology innovations, right?
So, banks need to innovate as the non-banking sector has their innovations as well, as it relates to moving money.

[00:22:22] David Puner: How do you balance, then, the need for innovation or the inevitability of innovation with the need for security in the FinTech space? And how might that differ at least somewhat from the other spaces that you’re familiar with?

[00:22:34] Eric Hussey: Yeah, I think the biggest lever that we have in the financial sector – in the FinTech sector – is regulation. We have great relationships here with the regulators that we interface with. I know that me coming onto Finastra, one of the primary relationships that I have – and and it’s a great relationship after we’ve interfaced many times, and dialogued – is the relationship with the different financial regulatory bodies.

[00:23:00] Eric Hussey: That is absolutely critical to making sure that we are not only looking at the financial security and safety aspects from a consumer perspective, but there’s actually national security overtones as well. So, I think that’s one of the things that we’ve seen in the sectors – or just in the digital economy overall – is that when things go sideways or badly, when it relates to cybersecurity breaches, they can have consequences that can impact everyday citizens of the world.

So, I think that what we’re seeing in the financial sector, the government sector, is that there is a lot more oversight, a lot more dialogue between public and private sector, that’s going to help us innovate safely and securely – in context of speed. Being first to market is always a good thing, but when we’re dealing with sectors that pose national security concerns, you have to move safely and securely as well. It’s not all about speed.

[00:24:02] David Puner: How do you stay ahead – or maybe it’s keep up with – new and evolving cybersecurity regulations?

[00:24:08] Eric Hussey: The CISO community, I would say at large, is an exceptionally good community in terms of sharing information. I have my trusted groups that we talk to on Slack channels. If I need anything from a CISO that might work at a certain bank or financial institution that I’ve never met with before or I don’t know, I’m sure someone I know has a connection to them, or I can just reach out blindly and start a dialogue.

That’s one thing I love about the CISO community is everybody is very, very willing to share information and help one another. So, that’s number one. I get some of my best information from that.
Obviously, partnering with, the regulatory bodies, it’s a two-way street. Technology is constantly changing. The regulatory bodies want our perspective – we want their perspective. So, that dialogue remains open. I was just working on a white paper for cloud computing with one of the regulatory bodies recently, because a lot of financial sectors, there’s cloud concentration risk that is now beginning to emerge in the financial sector as companies move from on-prem to the cloud.

And then lastly, we have so many resources at our disposal to bring the cybersecurity community together – not only from the vendor community, but also from the nonprofit sector as well. There is an abundance of resourcing out there to take advantage of. It’s just a matter of picking and choosing. Because I have this conversation with my wife all the time – I could probably be out of the house three to four nights a week at some sort of cybersecurity event, learning and talking. There’s just that much information out there to consume. You just have to be willing to put the time in and consume it. And that’s not just for me, it’s for my entire team.

[00:25:48] David Puner: So, you mentioned the cloud. How do you approach the role of FinTech in moving safely and securely to the cloud?

[00:25:55] Eric Hussey: Yeah. I mean, it all starts with good policy standards and procedures, right? Just like anything else. But as we move to the cloud, are we moving there thoughtfully? And I don’t think this is FinTech-specific – I think this applies to any organization. When they move to the cloud, they’re doing lift and shift, which is probably not advisable.

I’m a big fan of the cloud, always have been for a long time, because you can wrap security controls and enforce them exponentially faster than you could potentially do it internally. Unfortunately, with that power to move quickly and secure quickly, gives you the opportunity to make mistakes much more quickly as well.

So, what are the guardrails that we put in place to enable teams to move freely – and with high velocity – but make sure that security is really, really tight, to ensure that configuration management is watched very, very closely in a real-time fashion? To make sure that we’re not making mistakes in opening up things or exposing services that should have never been exposed in the first place?

This is nothing new in the cloud. I think that we’ve seen this predominantly over the last five years in terms of big breaches as a result of misconfigured clouds. Thankfully, we’re getting beyond that now. And I think that we’ve seen some great changes from your large CSPs – your cloud service providers – they’re starting to move more towards a secure by default configuration perspective. That’s only helping, but – I always say this – every company’s on a different part of their security journey. It’s not worth, looking at it negatively – it’s only opportunity to move forward and just get on with it.

So, every company is in a different spot. Every company is on a different part of their journey and every company has a history. But, what’s most important is, how will we move intelligently forward at an organization? And that starts at the top, not just me. That starts at the executive level, leadership organization and making sure that the right culture is there.

And, that’s tough to come by. A lot of CISOs don’t get that. Fortunately, at Finastra, we have the right culture at the top and that’s incredibly impactful to moving the security agenda forward.

[00:28:02] David Puner: You seem very calm about all of this. How do you keep your chill on throughout all of this? I don’t think I’ve ever said “chill on.” I don’t even know if that’s a thing, but how do you do that?

[00:28:14] Eric Hussey: I think it’s easy to have the “chill on,” so to speak. It’s like that same question, “What keeps you up at night?” Frankly, not much of anything because I’m so tired by the end of the day, I’m ready to hit the pillow anyway. But I think what makes the conversation and makes your state of mind a little bit more chill is through conversation – making sure that you have the appropriate governance, the appropriate dialogue around risk – and there was an executive that taught me this at a previous organization. And he says, “Eric, let’s just make the best decision we have with the information that we have today.” And that is incredibly important. But I think this is a challenge for a lot of CISOs and the security leaders is – you have to have that conversation and you have to be that business executive first, with a whole lot of empathy on who you’re talking to to make it real for them.

That’s what helps me, is having the right governance in place. And this is one of the things I love about FinTech – FinTech has exceptionally good governance compared to other sectors – frankly speaking. That helps the conversation happen in the right frequency. The decisions get actioned on in the appropriate manner and the follow-up and the follow through is there not only internally – but the regulatory compliance helps with that as well. So, it’s a much, much more heightened sense of security overwatch – compliance overwatch – than you would typically see in other sectors of the economy.

[00:29:40] David Puner: And do you use that same thinking, that same process for prioritizing Finastra’s most pressing security concerns – or Finastra’s clients’ most pressing security concerns?

[00:29:51] Eric Hussey: Absolutely. That’s a great question: how do you prioritize in everything that seems to be a priority? If you have good governance and good risk management, which we have exceptionally good governance and risk management at Finastra – it’s just part of the DNA of the company, right?

So, we prioritize it based upon the risk management, governance and governance outputs that we have. We prioritize based upon what our key products are, what our customers are saying, what they need help with – and then we’re also prioritizing based upon the signals that we’re getting from the regulatory oversight.

It’s not terribly challenging, frankly speaking, in FinTech to come up with a reasonable roadmap in day-to-day execution that is very aligned with not only business priorities, but customer priorities and regulatory priorities. There’s that much conversation occurring on a very frequent basis in this sector that it makes prioritization a lot easier.

[00:30:45] David Puner: How do you see the role of identity security evolving in the future of FinTech and banking?

[00:30:52] Eric Hussey: Yeah. So again, I’m still fairly new back in the space, but I think that there’s a lot of innovation that can be brought into the FinTech space today – particularly around identity – to enable frictionless enhancements in identity security.

Again, we talked about this before – softlock, MFA – I mean, we’ve been talking about MFA for a long time. And, some of my banking accounts, MFA is not even enabled. Shame on me. I need to get on that. But, there’s still a whole lot of consumer identities that are not protected by multi-factor authentication, right?

It still requires that manual intervention for you to enroll or for you to have your customer enroll on behalf of the consumer. What we’re focusing on right now – and we’ve been having some discussions about this very recently over the past three months – is how do we just get secure identity by default?

So, when our innovations come in, how do we innovatively get them all the way pushed down to the consumer level in the most frictionless way possible, so it doesn’t necessarily feel like, “Oh, I need to do something differently?” So, it all comes down to UX. You know, if I think about things internally, how do you deal with the proliferation of identities in cloud?

Now we’re talking about identity orchestration, because depending on each company’s internal workings, you had a lot of M&A, you have a lot of different identities. It’s a challenge, right? So, I think a lot is dependent – not only on the current state of your digital products today – but the evolution of your company and how it’s come to the current state today.

If you’ve done a lot of M&A in the past, then you’re probably going to have some level of identity debt that you’re going to have to deal with. But you don’t need to deal with all of it.

[00:32:43] David Puner: Identity debt. I don’t know if I’ve heard of identity debt. What is that?

[00:32:47] Eric Hussey: There’s debt in anything, right? I mean, we talk about tech debt, which just leads to process debt. There’s identity debt. You have systems out there that simply just have never really gone through a user access review, as basic as that is. They might be tied to a different identity provider that’s not your primary identity provider in the company. Every company deals with this, but you don’t need to address everything to be effective in cybersecurity.

But what you do address, you need to do it really, really well. And that ties all back to the risk management discussion around how do you prioritize? What do you prioritize? Again, this goes back to me just taking a very practical look at cybersecurity and seeing how breaches have happened in the past.
Some of them I’ve been up in close and personal with, and I’ve learned a lot through those experiences. But that’s critical. This cybersecurity landscape and the amount of challenges that we need to deal with on a day-to-day basis – if we don’t have those rationalized and funneled as priorities into the organization at large, we’re going to be focusing on something that’s much, much too wide and something that we can’t support sustainably.

So, we’re probably not going to do it well. So, we need to make sure that where we put our investments, they count the most. So, that’s part of risk management. That’s part of how we prioritize in an organization.

Identity is important – but where is it important – is a more important conversation to have?

[00:34:11] David Puner: It seems like every day there are more and more factors to consider and there are more and more things in the CISO role that hop onto your screen, or into your purview or whatever it may be. How do you see this CISO role evolving in the future – knowing that you don’t love looking into the crystal ball – but, whether it’s one, two, three, five years down the road – where do you think it’s headed?

[00:34:36] Eric Hussey: I think that you might see a convergence of the CISO role with other roles – CIO, CTO – I think we’ve seen a lot of that. And, I don’t say a lot of it – I think we’ve seen some of that in the space by very prominent CISOs in our industry. That’s one thing I love about being a CISO today or a security leader.

And frankly, I hope everybody in my organization appreciates the fact that being in cybersecurity, we get a unique perspective on the technology landscape of the organization. Because we get a very broad one and we get a very deep one, which means that we’re talking to a lot of different people within the organization – and not just technical folks, but business process folks as well. So, a conversation I might have: today I talked to one of our product officers in our mortgage payment division. I’m going to probably have a conversation later this afternoon around solving a challenge in our accounts payable, accounts receivable department.

These are great things that CISOs are exposed to because we develop exceptionally good business acumen as a result. And that is something every CISO, every security organization – no matter at what level that you’re part of – should be taking advantage of. The more you know about an organization and how they function, the more empathy you’ll be able to have when you get into certain conversations, which means that you’ll be more effective.

And the more effective you are, improves the value of who you are to any organization and other organizations that might view you in the future. So, it’s an incredible opportunity, but you have to take advantage of it to see that translate to value – not only for the organization – but for yourself personally and professionally.

[00:36:15] David Puner: So, I see on your CV that you’ve got some teaching experience. Do you have any advice for aspiring CISOs? Has anybody come up to you and said, “I want to become a CISO. What should I do? How do I prepare?”

[00:36:27] Eric Hussey: I think my immediate response is, Don’t do it.” Right? That’s jokingly. I think if you want to become a CISO – and I talk about this with CISOs that are in transition and things of that nature – of how difficult it is to get a CISO job.

There’s people like me that have a CISO job and may want to get another CISO job to advance their career in the future. There’s people that want to be aspiring CISOs – that want to get that next step in their career, become a CISO for the first time – and then those CISOs that are in transition that have been a CISO for a long time and are trying to get another CISO job.

So, the competition for these roles is fierce. That stated, you have to be fairly well-rounded, you have to put in the time and you have to be able to give back to the community as well. There’s not a week that goes by that I’m not, 70, 75 hours a week where I’m dealing with something cyber – whether it’s in my day job or whether it’s teaching in a university setting or whether it’s interacting with my peers on a topic of cybersecurity.

This isn’t a nine-to-five job where you punch in and punch out. So, you have to be committed and you also have to be able to deal with the pressure. A lot of my conversations day-to-day are technical, but a lot of them are just business interacting where I’m trying to promote – evangelize cybersecurity internally. I’m also working with customers to understand what they want to see next or some of the pain points and challenges that they’re having, right?

So, it’s it’s a very multifaceted role where you never have enough time in the day or the week or the month to get to everything. But you somehow, some way need to balance and juggle all these priorities and on a day-to-day basis. But one of the things I love to do the most is to give back to the, the up-and-coming generation.

So, I spent seven or eight years teaching in the university setting. I don’t do that anymore. I kind of hung up the hat about two years ago, for me to focus more time on myself and getting my career to the next level and spending more time with my family. There’s a significant time commitment it takes to become a CISO and sometimes that ebb and flows. You’re going to sacrifice family time, you’re going to sacrifice personal satisfaction in some ways to focus on the job at hand. But for me, I like to give back to the up-and-coming generation. I think that’s very, very important that they get outside perspectives from industry to teach them, to help them and to guide them through their career.

Students I taught six years ago are now at major brands in the economy and they’re in their first security jobs. And they reach out to me from time to time –What do you think? How do you feel about this? What should I do?” Those are conversations I love to have. Because I remember early on in my career – a lot of my career success has been as a result of my hard work – but the other reality is that I had some really, really good mentors that had my back and believed in me early on. So this is me repaying that.

[00:39:29] David Puner: A lot of what you were just saying, I was watching an episode of this Netflix show called “Full Swing,” which follows professional golfers. And Rory McIlroy was talking about a lot of those same points that you just mentioned in the episode I just saw. It’s really interesting and seems to be sort of a common thread.

[00:39:49] Eric Hussey: Yeah, I mean, it’s crucial. My first mentor – who got me into the security industry to start – he’s retiring this month. I’ve never forgotten him throughout my entire career and how much he did for me. So I’m going to be flying down to New Jersey in a couple of weeks to meet with him just to say thank you. Take him out for dinner – happy retirement. I appreciate everything that he did for me. And those people in your career that have truly helped you – you can’t ever forget where you came from and make sure that you’re giving the proper respects. And making sure you’re taking forward parts of their legacy and incorporating into yours –and how you want to be remembered what you’re going to do for the community to make it better. So, that’s what I try to do.

[00:40:31] David Puner: That’s really nice. Eric, we’re almost up against the hour. This has been fantastic. Just want to ask you one thing before we tap out on this windy, rainy day in April on a Friday. What are we doing this weekend? What’s on the plate? How do you wind down?

[00:40:46] Eric Hussey: How do I wind down? The great news about this weekend is that I don’t actually have anything to do. So, this weekend is going to be all about spending time with my family. I’ve got two young girls, 10 and five. The last job I had, I traveled a significant amount of time. So, with Finastra, great work-life balance – for as much as that can possibly be in place for a CISO – so it gives me a lot of time to be home. This weekend’s all about a little bit of decompression. Maybe a couple kids’ movies, maybe a little dinner at a restaurant and that’s it – rest up before we get ready to go on Monday again.

[00:41:21] David Puner: Sounds great. Eric Hussey, thanks so much for coming on to Trust Issues.

[00:41:26] Eric Hussey: Thanks, Dave. Appreciate it.

[00:41:37] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And, let’s see – oh yeah – drop us a line, if you feel so inclined. Questions, comments, suggestions, which come to think of it, are kind of

[00:42:00] like comments – our email address is trustissues, all one word, at CyberArk.com. See you next time.