Blog
Cloud Control

Cloud Control: Q&A with Mark Milne on AI Innovations and the Power of Partnerships in Cybersecurity

April 9, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Beyond the Basics: Mark Milne on AI Innovations and the Power of Partnerships in Cybersecurity

I’m excited to share this week’s Cloud Control highlight - a fireside chat with cybersecurity veteran, Mark Milne, CISO at Westfield Insurance. Mark’s a heavyweight in the cyber space, steering through the challenges with innovation and solid partnerships.

Mark gives us a peek into harnessing AI for defense and the power of alliances in crafting a resilient security posture. His experience spans giants like GoDaddy, Nu Skin, and American Express, making his insights invaluable whether you’re on the front lines or strategizing from afar.

So, take a moment and join us as we dive into lessons learned from Mark, one of the top CISO's in the game👇

Question 1 💭

Mark, it's a pleasure to have you join us. To kick things off, could you share a bit about your background and what you’re focused on at Westfield Insurance? Tell us about the innovations or developments in the field that are currently getting you excited.

Answer 1 🎯

Thanks for having me. I joined Westfield as CISO in 2022. I am responsible for the continued development and oversight of Westfield’s information security program by providing strategies and action plans to protect Westfield in the areas of data protection, security monitoring and response, and regulatory compliance.

I joined Westfield from Nu Skin where I led the global Information Security and Privacy program responsible for protecting sensitive data and managing privacy for 70,000 independent affiliates and more than 1,000,000 customers. Prior to Nu Skin, my career focused on building and leading security, risk, and governance programs with KPMG, GoDaddy, and American Express.

Like many, I’m currently interested in the innovations leveraging generative AI technologies within the information security space. As an example, how generative AI could be used to enhance SOAR by dynamically building playbooks based on events received.

 

Question 2 💭

Having dedicated more than twenty years to leading information security efforts across a range of industries, I'd love to hear about a particular strategy you've put into place that made a significant difference in a company's security stance. Could you also touch on some of the major challenges you encountered while rolling out these measures?

Answer 2 🎯

Focusing on the hygiene of foundational controls found across industry frameworks (e.g., CIS, NIST-CSF) has consistently provided a positive impact within my security programs. There is an added benefit of referencing the frameworks as this also provides a reference point to report to stakeholders on progress and program maturity.

Beyond foundational controls, implementation of automation through SOAR has provided a force-multiplier in the protection of organizations. Not only have we been able to demonstrate hours of manual time saved in repetitive tasks, the SOAR work has significantly mitigated authentication attacks and areas of fraud.

 

Question 3 💭

In your journey through companies like American Express and GoDaddy, you’ve had to navigate some pretty complex cybersecurity landscapes. What’s your secret for staying ahead of cyber threats? Especially in industries that seem to be prone to said threats and hackers?

Enabling success has been achieved through organizational design that models the NIST-CSF framework with core teams aligned to GRC, Security Architecture & Engineering, and Threat Management. 

Answer 3 🎯

“Great vision without great people is irrelevant.” - Jim Collins

Success has come through the teams I have worked with during my career. I’ve been fortunate to have been surrounded by great professionals who are passionate and dedicated to their roles within cybersecurity. Enabling success has been achieved through organizational design that models the NIST-CSF framework with core teams aligned to GRC, Security Architecture & Engineering, and Threat Management.  Providing teams clear alignment to their roles, necessary training, and resourcing to be successful has proven a powerful formula in staying ahead of cyber threats.

 

Question 4 💭

Your expertise clearly leans towards the use of data and analytics in shaping strategies. Would you mind delving into a specific scenario where data analytics played a pivotal role in your approach to security and influenced your decision-making process?

Answer 4 🎯

Formation of a security strategy is reliant on data driven decisions. I start with an information security risk assessment to identify and prioritize an enterprise’s risks. The treatment of risks, including the security architecture and controls deployed, is then evaluated based on the reduction of risk provided by the investment made. This analysis and quantification of risk reduction provides solid support when discussing security investments with a company’s CFO or other executive stakeholders.

 

‘Partnership’ is the key word…I don’t want to work with vendors, I want partners who have my back and the company's interest in mind.

Question 5 💭

I often hear you talk about building powerful partnerships and collaborations, and it seems to be one of your strengths.Tell us more about how these partnerships have impacted your security programs. Are there any specific collaborations that stand out you could tell us about?

Answer 5 🎯

‘Partnership’ is the key word…I don’t want to work with vendors, I want partners who have my back and the company's interest in mind. One partnership I pay particular attention to is my incident response partners. Of course I want IR partners available in the event of an incident; however, I also look for IR partners who are readily available to work with me on complementary work that will enhance IR execution (e.g., security testing, execution of table-top exercises). 

I’ve found IR partners are also fantastic guest speakers to join me in presenting to the board. Recently an IR partner presented with me to our board and it furthered the board's support to hear another perspective on the threat landscape and lessons learned from IR services performed for other companies.

 

Question 6 💭

Stepping into your role as CISO at Westfield Insurance, could you share what are your top three priorities currently? How are you planning to tackle them?

Answer 6 🎯

Coming into an organization, I have 3 areas of focus:

  1. My Team:  As I mentioned previously, my success is a function of my team’s success.  Taking time as a team to establish a culture of trust provides an environment where the group can succeed as a whole.
  2. Understand the Company:  To operate in a security leadership role, or I would argue any security role, one must understand the company’s mission, vision, business processes, and economic drivers. To onboard quickly, I meet with key stakeholders across the organization to both learn from them and to build a relationship. 
  3. Set a Baseline:  As an incumbent CISO, it is important to work with an independent partner to evaluate the maturity of the security program.  This provides a point of reference to build from and helps with the prioritization and development of a security roadmap.

 

Question 7 💭

You've previously mentioned the importance of aligning IT security measures with the broader business objectives, acknowledging that it's often easier said than done. How do you manage to achieve this alignment, especially in situations where the company's business model or priorities shift more rapidly than anticipated?

Program management of the security organization is often overlooked. We have adopted an agile approach to program management that allows flexibility to prioritize capacity to our security roadmap and the business’ needs.

Answer 7 🎯

Program management of the security organization is often overlooked. We have adopted an agile approach to program management that allows flexibility to prioritize capacity to our security roadmap and the business’ needs. Program management should be established in a manner that parallels business planning cycles and enables the right touch points with the business to both give and receive input on shifting priorities.

 

Question 8 💭

The landscape of security threats is constantly evolving. Can you recount a time when you had to respond quickly to a new or emerging threat? How did you handle the situation, and what lessons did you take away from it?

Answer 8 🎯

Is there a better example than Log4J? 😣

As a collective security community, nearly all of us experienced the call to quickly identify and remediate Log4J vulnerabilities within our environments…whether in our own code or in the code or products we were using. 

The mitigation of Log4J came over the course of multiple patches, reminding security and IT operations teams that the resolution of identified zero day vulnerabilities may come through several iterations. The ability to scanning, reporting, patching, and validation processes were all improved through the lessons that Log4J presented.

 

Question 9 💭

With AI and machine learning becoming more and more prevalent, how do you see these technologies shaping the future of cyber and cloud security? How have you begun integrating them into your security strategy?

Answer 9 🎯

AI and machine learning are playing a role in security’s evolution. We are seeing instances where AI is enhancing social engineering capabilities or enhancing the decisioning of tactics and techniques deployed against organizations. On the other hand, following are examples where we are actively working with AI to enhance our security processes: detection and response capabilities, analysis of threat intelligence, improved phishing detection, and enhanced user behavior analysis.

 

Question 10 💭

Finally, let’s talk about what you see as the biggest challenges and opportunities for cloud and cybersecurity professionals. What should we be focusing on or striving towards?

Answer 10 🎯

We are still experiencing a security talent deficit, but I’m optimistic that we can grow our way out of the talent deficit. As new or seasoned security professionals, we should be supporting and mentoring those who are new to their career or those who may be interested in a career change to information security. Let’s all look for opportunities to expand our great security community together.

Latest AWS and Azure Updates You Don’t Want to Miss

  1. Sellers can now resell third-party professional services in AWS Marketplace
  2. Stream data into Snowflake using Kinesis Data Firehose and Snowflake Snowpipe Streaming (Preview)
  3. Amazon ECS and AWS Fargate now integrate with Amazon EBS
  4. Azure API management developer portal unveils enhanced features for increased developer productivity
  5. ExpressRoute Metro for high resiliency

Top Articles and Resources of the Week

Articles

  1. Security threats to enterprises in the cloud (and how to address them)
  2. Three cloud security misconceptions that hold SMBs back
  3. Can generative AI help address the cybersecurity resource gap?
  4. Microsoft Copilot for security is generally available, adding AI to cyber fight
  5. Privacy and security issues of using AI for academic purposes

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.
  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.
  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.

Subscribe to Cloud Control, our weekly newsletter interviewing security and cloud leaders.

Related Posts

April 30, 2024

Cloud Control: Q&A with Ken Toler on Bridging Code and Security in the Future of Cloud Responsibilities

Join Ken Toler as he delves into the evolving role of code in cloud security. Discover key insights on integrating security with modern workloads and the challenges of everything-as-code in our comprehensive interview.
Read full Post
April 24, 2024

Q&A with SafetyDetectives

This interview explores the inception of Gomboc.AI, the core issues it aims to solve, and its distinct advantages over conventional security solutions in today’s rapidly evolving tech landscape.
Read full Post
April 23, 2024

Cloud Control: Q&A with DryRun Security's Ken Johnson on Contextual Security Analysis

Explore how Ken Johnson of DryRun Security is redefining application security with Contextual Security Analysis, enhancing how developers integrate security into their daily workflows in our latest Cloud Control interview.
Read full Post
View all