Rick Doten, VP, Information Security at Centene Corporation, and CISO of Carolina Complete Health based in Charlotte, NC has spent his 25+ year cybersecurity career teaching, speaking and consulting . Today he speaks with Apex about his journey and outlook on what comes next and how we get there.
Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?
The CIO is responsible for developing and maintaining the technical infrastructure to run the business. The CISO is responsible for protecting from threats and managing risks that could impact the security and resiliency of that infrastructure.
Q: What is the biggest challenge for a CISO today?
Honestly, keeping the organization focused. There are so many security issues popping up in the news from Solarwinds, ransomware, spyware on phones, etc, that it becomes a frequent task to respond to executives who read these stories and ask “what are we doing about this?”.
Obviously, staying on top of these new threats and issues is important, and verifying what the risk might be to the business, but they should just influence the security strategy. Keep to the plan you’ve established and are following, and try not to get distracted by specific events. Because otherwise, it’s like chasing dogs that burst out of the front door every time you open it.
Q: How has the role of the CIO/CISO changed over your career?
I have been in the business long enough to see how the role evolved from when Steve Katz was appointed the first CISO in the mid-1990s.
Initially, it was more technically focused, to find and close security gaps; then in the early 2000s, became compliance-focused. At that time, when I was a consultant, one of my CISO customers said he didn’t fear the hackers, as much as the auditors. In fact, in the mid-2000s, I saw many CISOs start to go to law school to better understand the rising regulatory landscape. Up to this time, the CISOs were reporting to the CIO.
Then in the early 2010’s I saw the shift to risk management. IT security governance programs were more commonly being stood up more broadly, and we saw CISOs come out from under CIOs and to CEOs, COOs, CROs, CFOs, etc. This is where we started getting a seat at the executive table and board room on a regular basis, not just when there was a security breach.
Today, it’s understood that CISO’s are part of the business, and that technology risk is a business risk. Business executives have come to realize that CISO’s have more of a role than just being the “in case of emergency, break glass” person; because a trusted, secure, stable, resilient infrastructure is a business enabler.
Q: How do you stay abreast of the trends and what your peers are doing?
I am part of a local CISO group here in Charlotte that meets once a month. Because everything has been virtual the last 18 months, I’ve been able to do so much more networking with my peers than before. I do a number of CISO virtual roundtables, speak on panels, and conduct Keynotes at security conferences. I’m also on Security Podcasts.
Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?
Understand the business you are in: How does it make money? Who are its customers? What obligations does it have to customers, regulators, or industry? Develop a governance process first to link the business requirements to IT risk management goals. Develop an incident response plan and process to make sure you can respond when things go wrong. With technical controls, focus on the fundamentals, don’t chase the hot trends or threats. Technology is the easy part, don’t focus on finding the best tools, focus on the outcomes of the process—tools support a process.
Q: How has DevOps and cloud services changed the way you design, build, deploy, and operate online systems and secure infrastructure?
I spent years doing application security consulting, from Ethical hacking online banking apps back in the late 90s, to training developers on application security, to helping firms integrate security within the application life cycle. Cloud is now part of the application security process. The Cloud is an application itself. With infrastructure as code, governance as code, micro-services, and APIs in the cloud, applications and cloud have to be integrated. And also multiple diverse teams are now involved, not just developers, DBAs, and server admins. We’ve moved from design, build, run; to collaborate, integrate, and orchestrate.
Q: What are some of the personal experiences — or compelling arguments — that have influenced your thinking around gender and technology and have motivated you to get involved in being an advocate for change?
Cybersecurity talent is much more about personality and aptitude than education and certifications. I think we have made the industry too intimidating for people who think they need to be geniuses, good at math, or have a certification to be a practitioner.
There are specific personality traits that make a good cybersecurity person: inquisitiveness, correlation, pattern matching, tenacity, and not being afraid to try something that has never been done before. These are not qualities you can train effectively into people who don’t have them natively. But you can train people on tools and procedures.
I’m a big fan of the Cyber Aptitude and Talent Assessment (CATA) test. This test doesn’t ask anything about security practices, controls, or standards, just questions to gauge how a person thinks. It has been used successfully in the UK and US militaries to identify potential cybersecurity talent. Anyone who has an interest in this industry should take the test, no matter the background, education, age, race, sex, disability–it levels the field to measure a person on aptitude.
Rick Doten – VP, Information Security, Centene Corporation & CISO of Carolina Complete Health
Rick is VP, Information Security at Centene Corporation, and CISO of Carolina Complete Health based in Charlotte, NC. Rick supports both the NC health plan and corporate Centene in a cybersecurity leadership role.
In his prior role, Rick worked as Virtual CISO supporting international companies. Rick also developed the curriculum for a Cybersecurity Master’s degree program for an International University.
Rick is an avid speaker at cybersecurity conferences, a guest on cybersecurity podcasts, and is a member of The CyberWire Hashtable. Rick is on the Board of his local ISC2 chapter.
He is part of the editorial panel of the CIS Critical Security Controls, and was the lead author on the newest version 8 of the Controls. Rick has a YouTube channel where he is doing an overview of updates and changes into each of the 18 new CIS CSC v8 Controls.
Rick has alternated between being a management consultant and CISO throughout his 25+ year cybersecurity career, where he has run ethical hacking, incident response and forensics, and risk management teams.