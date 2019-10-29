In light of Cybersecurity Awareness Month, Nasdaq Decodes with Ryan Wells explores how to build a cybersecurity team with Colleen Valentine, Director of Information Security at Nasdaq. Below is a transcript of the conversation, which has been lightly edited for clarity.

RW: Welcome to Decodes. As part of this series today, we're talking to Colleen Valentine, who is a director of information security here at NASDAQ. This month of October is Cybersecurity Awareness Month. So, we thought, who better to talk to than Colleen? So, let's just jump right into it. I kind of want to hear a little about exactly what your role is here. Cybersecurity is such a broad topic. So, for you in your line of work, what does your day to day look like?

CV: I'm the head of information security, governance and compliance. What we do is the softer side of InfoSec. We do our education programs, our policies and standards, our board reporting. And also, we are a liaison for the regulators. So, a lot of the translating, what the technical teams are doing, and making it a clear, succinct message.

RW: So, if you're a small business and you want to put together a cybersecurity program, what do you see are the essential ingredients?

CV: There needs to be three things you make sure you do before you actually start hiring people or building a team. One would be a clear understanding of what are the regulatory and business requirements that your organization is facing. A second would be you need to align to an industry-standard framework. You need to have some sort of artifact that says this is why and how we built our program. And a third would be that there needs to be a risk-based approach to your program implementation. So, you really need to know what are your critical assets or processes and how and why you are protecting them. And then, once you really have a clear understanding, then you can get into the real tactical implementation of the people, the processes, and then the tools that would help support that.

RW: More specifically, are there any dos and don'ts within that as they build it? What would you say are some of the main things to point out?

CV: I would say one of the biggest things is to engage all key stakeholders. So, the converse of that is: don't operate in a vacuum. You need to have buy-in from senior management, and you need to know who your partners are, whether it's a chief risk officer, finance, human resources, information security at the end of the day is a shared responsibility. So there needs to be a top-down directive that this is extremely important to the company.

RW: I see, so in terms of the employee side – so you build your program and then in terms of your employees and their awareness of cybersecurity at the company, how do you make sure that they know that this is an important part of their role as an employee as well? They play a huge part in this. How do you put together a program to make sure that employees are front and center in that?

CV: That’s why when you're looking at your program, you need to have the people who are the technical engineers implementing the tools, but you also need to have someone in the governance role like me, who’s really focused on education. I can't say that enough. Educate, educate, educate. We’re very clear that employees are on the front lines for us. They are our line of defense. We really want to make sure that our employees have the tools and the tricks to be able to help us in this. Right. There's a stat out there that over 90 percent of cyber-attacks could start with a phishing attempt. So, we take it on our responsibility. We want our employees to know how do you identify a phish? If something seems suspicious. Where do you report it? So over communication and education is really a key to our program.

RW: So, in terms of making sure the employees stay vigilant, what would you say are some of the best practices for that on your end?

CV: So, I mean, one overall thing is we really want to reward positive security behavior. A lot of times, InfoSec could be seen as the police, and that's not [good]. We want to recognize people who are vigilant, who are aware, who practice good cybersecurity. If you're practicing good cybersecurity behavior, whether at work or at home, it crosses boundaries. So, think about your family. Think about your kids if you have them. You want to protect their identities. You want to protect their data, so if you have that mindset it translates to work as well.