5 Cybersecurity Stocks to Watch: ProofPoint (PFPT)
Cybersecurity

Nasdaq Decodes: The World of Cybersecurity

Nasdaq Decodes with Ryan Wells explores the world of cybersecurity with Lou Modano, Chief Information Security Officer at Nasdaq.

In light of Cybersecurity Awareness Month, Nasdaq Decodes with Ryan Wells explores the world of cybersecurity with Lou Modano, Chief Information Security Officer at Nasdaq. Below is a transcript of the conversation, which has been lightly edited for clarity.

RW: Welcome to Decodes. We're here today with Lou Modano, our CISO at Nasdaq. We have Cybersecurity Awareness Month. So we thought this could be a good opportunity to talk to Lou about basically all things in his world that we should be interested in and concerned with and get his thoughts about it. So, I wanted to jump right in with Lou and talk a little bit about the fact that cybersecurity isn't necessarily just a technology issue anymore. It's a business issue. It's a strategy issue. It's a governance issue. So how have you seen cybersecurity evolve? What's it like right now for you as a CISO?

LM: So, first of all, thanks for having me here, Ryan. I would say the first thing that's different about being a CISO from five years ago, is the fact that we're on the stage. And what I mean by that is we're being asked more often to give communication messages out to the media, to the board in particular, to the management team. And it's so important, given our voice and the power of our voice, to have the right context around anything that we communicate. 

So, when you look at my space, you might ask, what are some of the shared concerns that you have with your peers? The main one would be how we balance good security with the needs of the business, our constituents, the industry and our regulators. That is probably the most challenging part of the job. It's also the most fun part of the job. So, I typically call that as a baseline. And when you look at our concerns, I think one of the most important one is, does the CISO know the threats against the organization and what are they doing to prepare against those threats? Those are critically important things to consider. I also worry about what I don't know. So, I ask my team to constantly look externally and for intelligence; intelligence that sometimes is shared by the industry, my peers, and sometimes by different government agencies, and act on it to see how it could have a material impact on us.

Another area that's a growing concern we deal with daily, are critical software vulnerabilities. These are typically released by a third party where there's a special note that goes out inciting what the bug is or what the gap in the security in their product is. And it's really important for us to address that. When you look at the scale of this or the volume, it is increasing on a daily basis. To give you some sense of the numbers, we see about 45000 software vulnerabilities per week. And that number is growing. That's grown dramatically over the past few years, and I expect that trend to continue.

Now, not only is that growing, but the time where a bad actor can exploit that is shrinking, because in many cases there are exploit kits available externally in the dark market for them to access and to take advantage of that. Most of the breaches that you have heard about [are] the large-scale ones that have occurred because of a vulnerability in the environment. Another concern that I like to call out is the insider. So, employees. How do we create a culture of security? How do we get our employees to really understand the importance of their role, not just what they do day-to-day, but how security is part of that? Having a really strong awareness program is certainly key. 

The other point, which every CISO faces, is how do we find good talent, and how do we retain it? Right now, there's a negative impact of employment in the security space. And it's a matter of how do you keep people interested, how to keep them engaged. That's something that Nasdaq prides itself on; building engagement with its employees, and keeping a culture that is not complacent. So, how do we give our employees challenging projects, initiatives to keep them highly motivated?

RW: You have had the CISO role for almost five years now. So how has the CISO role evolved over the past five years? 

LM: Probably the biggest change I mentioned is having a voice. The voice that the CISO has today is much greater than it had before. Not to say that the role is dramatically different. The CISO was purely viewed as a part of the tech team that was protecting the organization. And when you look at the role today, it's become more about how does the CISO impact the company strategy and, the product strategy. How does he or she enable the business?

And in many cases, having a strong, mature program could help the organization drive additional business. That's a key one. The other is, the role of the CISO goes beyond our organization. When you are in this role, you can do everything within your power, within your organization.But it's also important to have a voice and collaborate with your industry peers and with other entities, third-party vendors, share the concerns, learn about the product sets and services that have become available. Because we're all fighting the same challenge.

RW: What are the best practices for making this become part of the board's and senior management’s responsibility as well?

LM: This is a great question. I think many people, when they think of a board member, they think they're fortunate to have this role as a board member and they certainly are. But many times, they don't understand the gravity of that role. A board member has so many different inputs that are required of that role, whether it's input from the management team, the shareholders, the clients, or industry peers. They also have a fiduciary responsibility on behalf of all of those entities.

When it comes to cyber, it’s is a different animal. Board members typically understand the risks in their organization. But when it comes to cyber, those risks are not always understood. And the reason for that in many cases, is that those risks are evolving. There are also a host of geopolitical activities that are occurring where cyber is now being used as a weapon. It could be targeting your organization specifically. It could be targeting your industry. It could be a host of different challenges they face. As a board member, you need to process all that. You hear about a breach in the news, the first thing you should probably be asking yourself is how did that happen there? How could that happen? Could it happen to my organization? What is my CISO doing about it? So, on that point, specifically, what we do here is we do learnings whenever there is an outside activity. We try to do our best to understand what happened and how it could potentially impact our organization.

RW: How do you instill a culture of cyber awareness? We are a technology company at Nasdaq. So, I think more than other companies we understand technology, and we are comfortable around topics like cyber and so forth. How do you instill that culture in an organization?

LM: Building a true culture of security is extremely difficult. And I say it's difficult, going back to my point about how does everyone understand how they will impact security. At the same point, it helps when the message about the culture of security starts at the top. We're fortunate that we have a CEO, CFO, CIO that are all greatly attuned to the importance of the role of cybersecurity in an organization and the impact it could have. So it really starts there. And that messaging, including the messaging that I have for the organization, needs to resonate through all areas of the company. 

So that's one starting point.

The other is having a robust security awareness training program that include annual training and testing. So phishing is an activity where we've seen a dramatic increase in the last four months, and we expect that to continue. You need to test your employees. Not because you want to catch them, but because you want to make them aware that this could happen. Cyber drills and tabletop exercises are critically important in order to be able to know how to respond to an incident. So, all those components make up what I call a true culture of security.

Other Topics

Technology

MarketInsite

Nasdaq

Nasdaq’s Marketinsite offers actionable insights on a variety of market-moving topics. Learn from our thought leaders who are driving the capital markets of tomorrow.

Read MarketInsite's Bio