CISO Insider S2E5 - A Community of cybersecurity with Michelle Valdez

August 13, 2021
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.  

One Main Financial CISO Michelle Valdez joins CISO Insider to discuss building a community of cybersecurity, increasing resiliency and reducing human risk to minimize the impact of security incidents, and how she built this approach to cybersecurity from her long career that began in the Air Force and now includes her work in fintech in the private sector.

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at marketing@nightfall.ai.

Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with Chief Information Security Officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.  

Chris Martinez: One Main Financial CISO Michelle Valdez joins CISO Insider to discuss how to build a community of cybersecurity. Her approach is all about resiliency and reducing human risk to minimize the impact of security incidents. We talk about how she built this approach from her long career that began in the Air Force and now includes her work in fintech in the private sector. She also shares advice on how CISOs from all backgrounds can excel in the role — even CISOs without technical backgrounds. Finally, hear about how she thinks about data security as a security executive. We’re excited to share our discussion with Michelle.

Chris Martinez: Can you walk us through your path in the Air Force as a cybersecurity expert? You've worked in some really fascinating roles in the U.S. Department of Defense, the Office of the Director of National Intelligence and the Department of Homeland Security.

Michelle Valdez: My time in the Air Force had very little to do with cybersecurity. First of all, at the time we didn't even call it cybersecurity. The term then was “computer crime” and I was a federal investigator. I was in the Air Force Office of Special Investigations. And while computer forensics was involved in certainly some of the cases that I worked on, it wasn't my primary area of focus. When I separated from the Air Force, I worked for one of my former commanders who was looking to stand up a Department of Defense with computer forensic capabilities. The lab already existed, and there was some training in place, but he was looking at creating a center of excellence, and how the department of defense was responding to any sort of crime and particularly post 9-11.

Michelle Valdez: Obviously, there was a lot going on in the terrorism realm from a computer perspective. And so, when he asked me to come join, my first response was, “I really don't know much about computers.” But he brought me in to help build the organization and that was something that I had had some experience with. We spent a little over two years standing up a cybercrime center, which became one of the national cyber crime centers for the entire federal government. In my work with them, and also when I was working at the Office of the Director of National Intelligence, I got more and more exposure to the cybersecurity field. It was gaining very fast traction across industry.

Michelle Valdez: I went back to the Department of Defense Cyber Crime Center, we call it DC3, to help stand up an information sharing relationship between defense contractors and the Department of Defense. It was a very challenging thing to do because these were contractors who were doing things for the Department of Defense and worried about the DoD knowing about anything going on on their network that might not be good. They were worried it would impact the contracts. But I think very quickly people realized that this was not something that anybody could tackle alone. It's something that had to be addressed as a community, with information sharing and transparency.

Michelle Valdez: I went from there to the Department Homeland Security to do the same thing for the rest of the critical infrastructure sectors. That’s been my path in the government for cybersecurity.

Chris Martinez: How did your work in the Air Force prep you for the CISO role?

Michelle Valdez: Part of it is leadership. I think one of the most important things as a  CISO is to be a leader for the company and help drive cultural change, to drive a cybersecurity aware environment, and to help manage human risks. And that's what I did. I just did it in a different environment, from a criminal perspective and then from a terrorism perspective, and now I do it from a cyber perspective. As an officer, that is a leadership role. We are taught how to be a leader from the minute we even think about going into the military. So I think that definitely was a big contributor from being willing to, and interested and excited about taking on the CISO role, as well as other leadership roles as I progressed in my career. Being a CISO was one of my ultimate goals. I’m thrilled for this opportunity now.

Chris Martinez: You mentioned being on the ground floor of cybersecurity post 9-11. How did things change for you in your work in the long term and the short term and how are we as cybersecurity professionals still impacted by that event today?

Michelle Valdez: I think that the response in the engagement that occurred across the intelligence community in response to 9-11 set the path for the exact same thing that has happened in the cyber realm today. Before 9-11, you have federal agencies who did not communicate or coordinate with one another. Some of them didn't even have the ability technically to communicate with each other. It made everyone in the community realize that they had to work together, as cybersecurity started to gain awareness across our industry,  and particularly as some defense industrial base contractors were starting to be impacted by foreign actors. The people who were in the intelligence community during 9-11 and working in cybersecurity today are taking the lessons learned from building a community with communication, transparency, partnership, and collaboration that occurred in the cybersecurity space during that time.

Michelle Valdez: And certainly, how industry has come together and works together as a team to try and protect each other is one of the greatest things that has ever occurred across industry. 

Chris Martinez: How did you get involved with the Carnegie Mellon University Software Engineering Institute? Can you share lessons and insights from your experience?

Michelle Valdez: Carnegie Mellon is one of the federally funded research and development centers for the Department of Defense. The Software Engineering Institute (SEI) primarily helps to build different technical capabilities across the Department, one of them being cybersecurity. They were the first and really the only true CERT. It’s not an acronym — it’s actually the name of the organization. 

Michelle Valdez: I was working with a different contractor within the DoD. Carnegie Mellon SEI had people at DC3. When I heard that they were going to be building a similar information sharing program for all of the critical infrastructure, I said, “I want to be part of that.” I reached out to the leader of that team and he brought me on board and gave me that program to build and lead.

Chris Martinez: You transitioned to the private sector in 2015 as the senior director of enterprise cyber resilience at Capital One. Can you share the similarities and differences of working in the public and private sectors?

Michelle Valdez: I would say it's very different. That's what I tell anybody who has spent their entire career in the government like I did and is looking to come into industry. When I was interviewing people at Capital One and now in my current organization, I make sure people understand how different it is. One thing is the speed. Industry can move very fast. We can make decisions very quickly. We can acquire things quickly. We can develop programs from scratch and grow them to full programs in short periods of time, and that is very difficult to do in the government. 

Michelle Valdez: The government has layers of bureaucracy for a reason. It's important that they are set up the way they are. I think in some cases there's more layers than there needs to be. But I remember when working in the government, I often felt as if we were stuck in the bureaucracy of making a decision. We used to joke that it would take us two years to have the meeting in order to discuss whether or not we were going to do something. It's an exaggeration. But at Capital One, when I joined, I started with no team. It was just me and my boss told me to go build a team. And I was asking questions like, how many people and what kind of budget? And he said, "Just go build the team you need. I will make sure you have what you need." It’s totally different. It's not to say that in industry, there's not that same level of accountability and planning. It's just a different way of doing it. It doesn't have to go through seven layers of approval, or require a year or two years of planning in some cases to get what you might need. 

Michelle Valdez: I also think that there's a cultural difference. I had to learn how to be a better leader when I went into industry, because what I had learned from working in the government and my leadership style there may have been effective then, but it was not effective in industry. I credit Capital One especially in making me a better person and helping me become a better leader because I learned how to be a servant leader and I learned how to be compassionate and empathetic, and actually form bonds with my team members. That was something that would have been very uncomfortable and difficult to do when I was working with the government.

Michelle Valdez: As for similarities, industry and government are alike in that the mission may be different, but there's no less dedication and drive and passion for those missions in industry than there is in the government. I think that that's something that some people may not realize.

Chris Martinez: Do you have any advice on how cybersecurity professionals can build their careers to get to the CISO role, based on your path and experiences?

Michelle Valdez: The first thing I would say is, don't convince yourself you can’t do it particularly if you don't have a deep technical background. I think that there are some companies and some CISO roles where the way that the role is structured, they want somebody who is highly technical. Those just aren't going to be the right roles for somebody who isn’t highly technical, who hasn't been an engineer, or who doesn’t have experience in incident response working in a SOC. More and more these days, people are looking for leaders who can communicate to the rest of the business in a non-technical way, in a way that's meaningful to a wider group of stakeholders. It's becoming more and more about managing risk. I think it's always been that way, but I think it's now driving, in some cases, different skill sets for CISOs. It always depends upon each organization, but I was very fortunate to be brought on to a role where I worked for our Chief Risk Officer and I focused on risk.

Michelle Valdez: It’s all about minimizing the risk to our company from a cybersecurity perspective. I don't have a technical background. I never coded. I never was an engineer. I built programs in organizations. I'm a process person. At one point I convinced myself, there was no way I could do this role. I told myself I would never be able to get there because I just wasn't technical enough. So what I would suggest to people is to learn the different aspects of cyber. You don't have to be an expert. As a matter of fact, I think it's almost problematic if you're too much of an expert in any one field, because it's hard for you to then let your team lead and do what they need to do.

Michelle Valdez: To be more strategic and learn the different aspects, surround yourself with experts who can help teach you. I hire some of the greatest experts who know way more about what they do. That's how it should be. You want to surround yourself with the best people, because I learn from them every day and it makes us have a better program because of it. Cybersecurity is still this mystical thing to a lot of people. Many people approach it like, "There’s an incident in the news and I don't have to worry about it because there's a team of people who take care of it. I don't even have to concern myself.” One of the hardest things when you're building a framework or a program that you have to transform iis helping everybody understand their critical role in cybersecurity regardless of what they do.

Michelle Valdez: It's also important to learn how to communicate. If you can learn how to translate something very technical in a way that makes sense to a business leader, that means you have to spend time with business leaders and understand their world, their pain points, and their concerns. You get insights into what security is doing that is causing friction for their team, by standing in their shoes and understanding it from their perspective. To me, that makes a more successful CISO than somebody who's been an engineer.

Michelle Valdez: I know that there are some people who take on a CISO role who probably have never been in cybersecurity. But I think that's rare. So look for different roles that will expose you to the operational and risk perspectives of cybersecurity. I think it's important to understand risks and understand how to communicate, especially to the business and ultimately to your board.

Chris Martinez: How can security leaders stay grounded during major security incidents?

Michelle Valdez: Take deep breaths. It is so hard when things are happening while you're in incident response mode. You have to be the calming influence because people are going to be spinning. Without calm leadership, you're going to miss things. You’re actually opening yourself up to more threats because you’re not able to fully respond to an incident. Take a step back, trust your leaders to do what they need to do, and make sure that they're keeping you informed, but try not to get into the weeds. Try not to become the incident responder because that's going to make it more difficult for your team members, and it also adds pressure to yourself when you’re trying to be calm under pressure.

Michelle Valdez: Also, keep the executives informed and away from the incident response team. You have to provide that layer, because there's going to be many people who want to know what's going on. Your role is to make sure that they understand and trust the team to respond well.

Chris Martinez: I think this next question might touch on some of those themes. We all work in an industry that's so focused on big growth and valuation numbers, but failure is a big part of that cycle that is almost never addressed properly. How can cybersecurity leaders approach failure constructively and make it less of a taboo?

Michelle Valdez: I make it part of my culture right now, a non-incident mode. My role is to enable and empower my teams to be successful and to give them impenetrable top cover. Impenetrable top cover for me means that I give them space to try things and take risks. I want them to not be afraid of failure and encourage that when they do fail, focus on the lessons learned. Because if failure is only a failure, if you don't learn from it. If you learn from it and you make improvements, it's no longer a failure. It had a value. It may be an uncomfortable situation, but it's not a failure. 

Michelle Valdez: I set expectations and create this culture within your organization, and also set the same expectations and culture with your leaders, meaning the people I work for and the executive leadership team. Demonstrate that you know why it happened, avoid making excuses, and drill down thoroughly into the root cause to go beyond just fixing the technical problem. Show your organization that you're learning from the incident. I have seen many s CISO who have survived and thrived after a major breach by doing these things, because it wasn't seen as a failure. It was seen as something that didn't go right, or a bad break, but not a failure.

Chris Martinez: What are the biggest challenges ahead for the industry in the post-COVID era?

Michelle Valdez: I think that this is going to be the most difficult time for cybersecurity professionals. I know that a lot of people felt that going into COVID was incredibly challenging because so many companies went from not working from home to working from home. I had to stand up a lot of security capabilities in very short order. But I think that a lot of companies showed that they were able to do that.

Michelle Valdez: The way that the technology and security teams within my company stepped up to the challenge and rose to the occasion proved that that was something that wasn't as challenging as everybody thought it was. We're now going into a hybrid environment. And that hybrid environment I think is going to be more challenging than anything from a cybersecurity perspective that we've ever faced, because you're going to have some people remote and some people in the office. People will be in the office at different times, and people who've been working from home will now be going into the office. When you're working from home, you don't perform the same kind of security behaviors as you do in the office. We're reminding our people of these things as that transition happens.

Michelle Valdez: What are the things we all need to do? Simple things, like locking your computer before you walk away. I guarantee you, nobody at their house locks their computer when they step away, because they're in their home office. We're in this in-between, which I think is going to become reality. I don't ever see us going back to everyone working fully in office across the entire workforce. I think people have learned that there is a wonderful balance with working from home that can be achieved from an effectiveness and deliverables perspective and from a personal perspective. This balance can absolutely make a better environment and a better workforce than we've ever had. But it is going to mean we have fewer people in the office and we have to make sure that we're building in different controls that are necessary in both environments and not just solely focused on one or the other.

Chris Martinez: Would you be able to talk a bit about some of those strategies?

Michelle Valdez: Without getting into specifics, I think that as we move back to bringing people into the office, there's going to be things like banners on logins, or swag and tips put on people's desks, or increased training and awareness types of activities, or town hall meetings. Anything that helps in broadening the scope of how often we're talking to people about what they need to do for security. We're making sure that our annual awareness training is timed around when people are going back to the office, so these ideas are top of mind. We’re very fortunate because CyberSecurity Awareness Month is going to be right around that time, in October. We're going to take full advantage of that and make sure that we have a lot of different activities to encourage people to attend both from a virtual and an in-person perspective. We have to think about how to do this well in both environments. We’re thinking about the human risk aspects, especially around the time during that surge. I have no doubt that most companies are going to be putting some enhanced monitoring in place as we move into that hybrid environment.

Chris Martinez: What should up and coming cybersecurity leaders look for in a mentor?

Michelle Valdez: Going back to what I talked about before, when I think about people who have mentored me, the best guidance comes from the people who have helped me believe in myself. Imposter syndrome is a real thing for CISOs, no matter your background, or how long you've been in the role, or the way we've done it before, or whether you're a man or a woman, or whether you're an underrepresented minority. It happens to every CISO I know. You need to have people to talk to and help you through it. I’m part of CISO groups where we rely on each other when we’re having one of those days. Look for somebody who prepares you for the communication and resources challenges you're going to face. One of my mentors helped prepare me for my first presentation to the board because I was terrified. I was like, "Oh my God, I'm presenting to the board of directors. I've never done this before." They helped me think through the things that are important to convey and how I would speak to those things. It was so beneficial.

Michelle Valdez: When I've talked to other people about mentoring CISOs, I think that it is something that most CISOs don't do well. I don't know if you've seen the security strategy that the CISO at Equifax published. I've never seen anybody publish something like that before. I've read it at least five times. He speaks on how we do not as a community help to grow leaders, the way that we should. I wish I had somebody that I could ask about my challenges and not be worried that they think that I'm not competent enough to be a CISO. It’s important that we have a community that we can trust with people that tell us what we need to hear and help us, but not judge us in any way shape or form or question our ability or us being in our leadership positions.

Chris Martinez: Would you be able to share some of those CISO groups with our listeners?

Michelle Valdez: The groups I’m in are made up of my personal friends who are CISOs. I know that there's a ton of more formal groups out there and I participated in several different round table conversations and Chatham House Rule conversations. I know that there's one that's associated with the RSA conference, the CISA that brings together CISOs. That's where I learned a ton, and I think that there are groups in every single sector. Information sharing and analysis centers are also a great resource for cybersecurity and for CISOs. But the groups that have been most valuable for me have all been built on top of my personal relationships. There's several of us in a Signal group where we share experiences, ask questions, and look for advice. These are people that we can pick up the phone and call because we've all grown up together in this environment. I think that those have been incredibly valuable relationships.

Michelle Valdez: But there's definitely no shortage of opportunities. Honestly, there's a ton of different podcast groups that you can leverage. If you hear somebody on a podcast or a webinar, reach out to them. They can be an enormous resource to you.

Chris Martinez: How have you approached data security over your career as a CISO?

Michelle Valdez: I think this is something that is becoming more and more prominent in the CISO role than before. Early on, it was about protecting the environment. At first, it was keeping people out, which we realized wasn’t realistic because nothing is impenetrable. Then it was a question of if they get in, how do we keep them from taking anything, and which wasn’t working either. 

Michelle Valdez: One of the things that we as an organization are emphasizing from a cybersecurity perspective is protecting data. As everybody's environment is changing and shifting with COVID, we went from people being in the office to working from home. The attack surface has expanded, and in many cases exploded, and that perimeter is starting to evaporate. It really has to be about how to protect the data. That is a major key focus of our strategy at One Main, to make sure we are putting in the proper technology, the right people, and the processes for data security. If a bad actor gets into our environment, they won’t get our data, which is our best commodity.

Chris Martinez: What motivates you to get out of bed every day as a cybersecurity leader?

Michelle Valdez: The impact that I make every day in protecting my company.

Chris Martinez: What are the top two lessons you've learned from your team in the last year?

Michelle Valdez: First, go slow to go fast. I've learned that before, but I really learned it here, especially during COVID. Second, the importance of connection. Not just about work, but making sure that you find ways to connect in a non-work way.

Chris Martinez: What does “go slow to go fast” mean?

Michelle Valdez: Don't try and jump at a problem with the first solution that comes to mind. Don't immediately implement a tool. Take time to understand the environment and the problem, and take time to evaluate and think through downstream impacts, particularly on the workforce from a cybersecurity perspective. You want to put all of these things in place to protect the company, but you absolutely first have to think about the impact that's going to have on the workforce.

Chris Martinez: What are you most proud of in your career as an infosec executive?

Michelle Valdez: Seeing the growth in people who either I started my career with or started their career on my team and watching them do what they're doing today, and seeing the amazing things from people that I've interacted with throughout my career. Watching them excel where they are, and seeing their impact. Just being a part of that is valuable to me. This is an amazing community to be a part of. When I see women leaders get into CISO roles that started on my team becoming the CISOs, hopefully it means I made a positive impact on their lives.

Chris Martinez: Which podcasts or books have you read lately that you can recommend to our listeners?

Michelle Valdez: I think that there are three podcasts that are excellent. I think CISO Insider is a fantastic podcast for CISOs. Humans of InfoSec with Caroline Wong is a fantastic podcast. It gives the perspective of leaders from a different view. And David Sparks' podcasts also, with the challenges that they go after and the problems that they talk about. Those are ones that I regularly keep track of, but I haven't read any books lately. Podcasts have been my thing these days. I spend too much time on a computer as it is. Listening is better.

Chris Martinez: Thank you so much for saying that about our podcast! It's guests like you that elevate it. 

Michelle Valdez: This has been great. I was thrilled when you reached out and asked me to participate.

Chris Martinez: Do you have anything you want to promote like social media channels, articles you've written, or pieces from your team?

Michelle Valdez: I'd like to promote the work that’s trying to understand human risks. There are several companies that are investing in understanding this. To me, information security leaders should read anything they can find on huma risk and really understand the research, because it's different from what most of us have thought all along. People think human risk comes from the most junior person, but it’s actually your middle managers. And there are other factors, like what time of day the vulnerabilities happen. Understanding human risk can transform how you're thinking about cybersecurity.

Michelle Valdez: The most important thing for understanding human risk is that you can change your control environment. We all have limited resources. Focus your very limited resources on the highest risk areas and take a different approach than a broad swath for everything. There's been such great work this year in understanding human risk. It had its own entire section in the RSA Conference this year for a reason.

Michelle Valdez: I'm also a huge advocate of resiliency and understanding and balancing the typical cybersecurity program that focuses on the threat with the focus on minimizing impact. There's some great stuff that has been put out recently about resiliency. Those are the things that I strongly encourage anybody in information security and cybersecurity to consume and understand, and it will change your viewpoint and can create major improvements in your work environment and in your personal life too.

Chris Martinez: Thank you for your service, and thank you for joining us on CISO Insider and hope you have a wonderful day.

Michelle Valdez: You do the same. Thank you.

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at marketing@nightfall.ai with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.   

Next time on CISO Insider, Datadog CISO Emilio Escobar joins us for our Season 2 finale to share his approaches to infosec and why he sees data as trust. We’re excited to share our chat with Emilio on August 18.