The Dig Leagues - Our Interview with Chris Hetner

Chris Hetner is a Senior Executive, Board Director, and leader with over 25 years of experience in cybersecurity, risk management, and regulatory compliance. Chris has been recognized for raising cyber risk to the Corporate Board level to protect industries, infrastructures, and economies. Chris is also the initiator and creator of operational resilience through aligning robust Cybersecurity strategies with business objectives. He holds an M.S. in Information Assurance (Cum Laude) from Norwich University and a B.S in Security Management from John Jay College of Criminal Justice City University of New York.

‍‍
Tell us about your background.

I've been in the cybersecurity information security arena for close to 30 years. I started my career back in the nineties working for financial institutions where I studied the relationship between criminal behavior and the use of computer systems and technology. I worked with banking entities and other financial services companies in New York and helped with building data centers, running security operations, and deploying and managing firewalls and intrusion detection monitoring. After working in the data centers for a while, I shifted my focus toward Wall Street banks and worked for Citigroup as their SVP of Global Information Security as well as GE Capital as their CISO. Since then, I have held various other positions, including Cybersecurity Management Consultant for Ernst & Young, Chair of the Securities and Exchange Commission for the US Government, Senior Advisor of the National Association of Corporate Directors, and board member for a private equity fund I advise.

What are some of your core beliefs as a security leader?

My biggest core belief is around transparency and the need to communicate effectively across departments within a business. This is less about the technology and more about the business’s operational and financial exposure. Having that transparency in place helps me deliver insights into what cyber threats will introduce material financial exposure. Sharing that information with management, the CEO, and the board helps them be able to make significant investments to deploy capital and other resources against those threats.

What have you seen that works (or doesn’t work) when building out a data security team?

This ties in to my previous answer about transparency – I think transparency is the key component to being a successful leader in cybersecurity because you can enable people within and outside of your organization to be creative. I like to place everything on the table and encourage open discussion and dialogue to make sure the organization has a 360 view. I also believe in introducing diverse concepts, ideas, and inclusivity across a wide range of constituents. All of this combined enables the organization to be more effective at cybersecurity because it’s not simply isolated at the CISO level, it’s threaded throughout the entirety of the organization and is seen as everyone’s responsibility. 

We often hear “it’s not a matter of if you’ll get breached, but when.” What’s the first question you ask yourself when a breach occurs?

The first question I ask is how bad the damage is. Then, I dive straight into figuring out the history behind the breach. I would want to know things like whether we have any historical data around when we were notified, who was involved, if external individuals like law enforcement or a whistleblower were involved, and how the breach was discovered. It’s important to really unpack the degree by which the breach happened and what the impact could be. If the breach is still active at that point, I would activate my team to make sure we’re doing everything under our control with precision and accuracy to contain the breach as quickly as possible. 

Once you’ve contained the breach, it’s time for the CISO to pull together the entire crisis response team, including compliance, risk management, finance, general counsel, the CEO, and maybe even the board. This team should look at the collateral damage and assess how bad the impact on the business’s operational and financial condition is so the organization can conduct the proper investigations, assess the level of damage done, and start to get back to some level of normalcy. 

What are some of the best practices to implement when creating or managing a new data security project?

Before hitting the ground running, you want to make sure you understand what you’re trying to achieve. Consider your overall objective – are you trying to protect data from a business asset perspective? Are you protecting data just because you have it but it doesn’t actually add value to the enterprise? Can you protect the data in relation to the mission criticality of the organization? From there, you can trace back and figure out what the right level of process needed is, if you need to stand up a committee, how often the committee should meet, the size of the data security program, if it’s being applied to a single unit in the organization or across the entire thing, the level of resources needed, and realistic timelines, checkpoints, and goals.

Depending on the level of complexity or depth of the program, you might need to bring on a data security vendor to run the program effectively. That’s where vendors like Dig Security come in – Dig is an agentless multi-cloud data security platform that discovers, classifies, and protects sensitive data. Using Dig's Data Security Posture Management (DSPM) capabilities, organizations can quickly locate their most critical data and contextualize it by the level of access and criticality. Plus, Dig provides real-time data detection and response (DDR) to ensure immediate handling of newly discovered data-related incidents by integrating with existing security solutions. Tools like Dig give organizations the visibility they need to adequately manage and secure data from one central location. 

What’s a major cloud data security trend you’re paying attention to in 2023?

The one I have my eye on is API security on cloud platforms. Think of all of the applications that communicate back and forth within a cloud environment: most of them are all connected through APIs, and what we’re seeing is that those APIs are being compromised because they don’t have built-in controls and defenses like proper authentication levels or encryption. The APIs are inherently weak and therefore vulnerable and open to attack. I’m paying attention to the attacks that are happening in this space as well as new security advancements and platforms that are working to protect against this growing issue.

What’s one parting piece of wisdom you have for today’s security leaders?

I’d say be transparent about the level of knowledge you have around cybersecurity, the level of understanding of the business you’re supporting, and the level of capability you have to defend the enterprise from a cyberattack. To be effective at all of these things, you need to be constantly learning and evolving, and you’re really never done with that journey.

I also think being ok with knowing there are things you don’t know will go a long way. Organizations sometimes tout that they have best-in-class security, nobody is better than them, etc., but I think that’s a quite shortsighted and dangerous approach to cybersecurity. Effective leaders are constantly reinventing themselves, constantly evolving their security programs, and always being communicative with the CEO and board of directors around how they’re defending the company.

‍