Tim Callahan, Senior Vice President and Global Security Officer at Aflac, talked about the challenges of promoting meaningful security legislation that doesn’t compromise privacy.
“It’s odd that our cybersecurity policy is often shaped by people who really don’t know or who have some personal gain in mind,” stated Callahan at the outset of his keynote presentation at the 2017 Chief Information Security Officer Leadership Forum held on April 5 in Atlanta. “We don’t have practitioners influencing this,” he said.
“It’s odd that our cybersecurity policy is often shaped by people who really don’t know or who have some personal gain in mind. We don’t have practitioners influencing this.”
“Security risks are growing at a faster pace than the industry can react or adapt. Breaches are the norm,” he stated. “For example, regarding the two breaches of the U.S. Office of Personnel Management that occurred, the latest statistic I heard is that 23 million people had their data compromised. We need to get more involved in the public discourse. We have to start being heard regarding the things that enable us to do a better job,” he emphasized.
Callahan presented three types of threat actors and their motivations:
• Criminal—motivated by money generated by ransomware and the selling of data. “We’re still working with the criminal computer access and fraud legislation that was passed in 1984.”
• Hactivist—motivated by making a social or political statement. “Companies that have a high public profile or are in certain industries—pharmaceuticals, gas and oil—always seem to be the target,” he observed.
• State-sponsored—motivated by politics. “We should all be concerned about this.”
“We’re still working with the criminal computer access and fraud legislation that was passed in 1984.”
“If the bad guys are talking, we need to be talking,” said Callahan. “They’re sharing information, and there’s no doubt in my mind that criminals have bought all the security tools we use and rely on. They’ve bought them to try to defeat them. It’s like we’re constantly fighting a guerrilla war,” he said.
“Part of the problem is, when we or our congressional representatives try to get legislation through, there’s a tug between privacy and security. We’ve seen that kill some good legislation. Very few of the cybersecurity bills that have been passed have helped the private sector. One of the reasons is there are so many federal agencies involved, and each of them has its piece of the pie. We, in the private sector, can’t look to the federal government to help us,” Callahan said.
“One exception to the previous statement is the 2015 CISA, which did some very good things,” he stated. These included giving companies protections in how they share information and providing companies with some limited indemnity.
The Automated Indicator Sharing Program was one of the benefits of CISA, Callhan observed. This is a DHS program that allows exchange of threat indicators, malicious IPs, and phishing attacks. There’s no formal agreement in this program and no cost (it’s funded by DHS). A server is installed in the company environment. “This program becomes most valuable when more people share,” he pointed out.
Callahan outlined what businesses in the private sector can do to move the needle on security legislation:
• Participate in the public discourse on cybersecurity. “At Aflac, this is part of our corporate social responsibility.”
• Continue to collaborate and be involved in information sharing (FS-ISAC, CISO coalitions, etc.).
• Get involved with your company’s Government Relations Team.
• Reach out and make yourself available to your congressional delegation.
• Get involved with other CISOs—in particular, outside your sector—to understand larger cyber issues.
• Work for organizations dedicated to influencing public policy and regulatory guidance.
Areas that still need to be addressed by government include:
• Gaining the protection offered by CISA at the federal level to work with state agencies.
• Establishing a national notification law that has a safe harbor (encrypted at time of loss; no notification required) and a reasonable, standardized harm trigger.
• Implementing third-party obligation. “If you’re a covered entity, you must have a security program. Now we have cloud services hosting data, but they’re not subject to or included as a covered entity.” There needs to be shared responsibility, and carriers must be obligated to deliver clean traffic.
“If you’re a covered entity, you must have a security program. Now we have cloud services hosting data, but they’re not subject to or included as a covered entity.”
ABOUT TIM CALLAHAN:
Tim joined Aflac in April 2014 and is responsible for the Aflac Global Security Program, which includes technology risk management, physical asset protection, the information security program, threat and vulnerability management, cybersecurity operations, information technology compliance, security engineering, crisis management, business resiliency, and disaster recovery. He’s responsible for the protection and availability of the information assets for the world’s leading provider of supplemental and voluntary insurance. He leads various security and risk committees and structures to help business partners accelerate in a safe and sound manner while protecting Aflac clients.
Prior to Aflac, Tim was senior vice president, business continuity and information assurance, at SunTrust Bank. In this position, Tim was responsible for SunTrust’s corporate threat and vulnerability management, information security monitoring and investigation, business resumption, incident response/crisis management, technology risk project office, and records and information management programs.
Prior to SunTrust, Tim served as first vice president, technology risk management, and chief information security officer at Peoples United Bank in Bridgeport, Connecticut. During his tenure, Tim also served on the State of Connecticut Judicial Committee on Identity Theft to assist in building requirements for protecting sensitive personal information introduced into the judiciary through legal actions.
Tim was a career military professional serving in leadership positions throughout his 23-year career. In his final assignment, Tim was the program manager for a command risk management function at one of the U.S. Air Force’s Major Command Headquarters.
Tim is a recognized industry thought leader, with awards that include: Evanta’s 2015 CISO Top 10 Breakaway Leader Award; 2009 Information Security Executive of the Year—Northeast People’s Choice Award; 2007 Digital ID World Industry Award; 2006 Information Security Executive of the Year—Southeast People’s Choice Award; and 2006 Digital ID World Industry Award. He’s a certified information systems security professional, a certified information security manager, a certified project manager, and is certified in risk and information systems control. Tim holds a Bachelor of Science from the University of the State of New York.