For the newest instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve welcomed Kathleen Moriarty, Chief Technology Officer at the Center for Internet Security.
During her tenure in the Dell EMC Office of the CTO, Kathleen had the honour of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is also a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.
What were impactful projects that have influenced your path toward becoming a CTO?
That’s an interesting question as my career path has evolved with positions that were focused on security and then balanced by other roles that required technical depth in a broader purview. There are two notable recent experiences that broadened my work and experience, which were beneficial in the path to becoming a CTO.
Serving in a practice management role for EMC Consulting, provided the opportunity to oversee security, risk, and governance projects across multiple industries. The view across industries provided insight into the differences in managing security in each, but also that the outcomes for organizations depended on the maturity of a security program. If the organization was aligned to business needs, the morale was higher and the security program tended to be managed in a risk-based approach.
As an Internet Engineering Task Force Security (IETF) Area Director, I had the opportunity to read all IETF standards published for 4 years, across the protocol stack. This position was uniquely helpful, providing an opportunity to expand my technical depth beyond the area of security in a meaningful way. This also provided insight into areas of technical interest for numerous large organizations. This broad view helps as a CTO, both for the knowledge gained as well as the rich set of industry contacts beyond a speciality area. No single person will be able to cover all technical areas, but knowing who you can call upon to learn more is incredibly helpful.
Being the CTO, what does your day to day responsibilities look like?
CTO roles carry both internal and external responsibilities. For the external responsibilities, like other executives, you represent the business. The CTO may focus on the technical growth directions publicly, while also supporting the current initiatives.
In this external role, it is also imperative to observe industry trends and read voraciously. Maintaining an interest in research and learning is an important part of the CTO role to ensure you are able to identify industry trends and act on any inflection points within the right timeframe.
The internal role is to work across the business in support of the organization’s mission. As CTO, you consider the external trends and inflection points, mapping those back to a guiding technical strategy for the business. On a normal day, you might engage in several projects providing input on decisions for services or it might involve reviewing documentation for a product or the product itself.
What advice would you give aspiring CTOs and entrepreneurs?
Read and listen to experts in your field as well as in related fields. It is imperative to stay on top of evolving trends and technological advances in order to project what might be coming around the next corner.
As a CTO, you need to have a strategy in place for the near term, but also a strategy for the long term. The strategies may align, there may be a trajectory between the near and long term, or it might result in a new path if there is disruptive technology coming.
How do you think the role of CTO has evolved in the last five, ten, fifteen years?
The role of the CTO may vary between businesses and even between CTO hires at the same business. In some cases, there is a cycle where one CTO is focused near term and the next is focused long term.
A CTO at a research-driven organization might always have a long term view as that is within the culture of the business. In other cases, IT and security are there to support a business function and remain near term focused on technology support. If technology is not the product, missing an inflection point in the area of the business would be more critical than supporting technology.
What new challenges are CTOs facing today?
Rapid change is likely the biggest challenge as every part of the protocol stack has been evolving from hardware all the way up to application design. Understanding the changes is one part of the equation, in some cases, you might be driving the change.
The other part of the equation is to determine what can be done by stepping back and viewing the bigger picture. Another challenge is the supply chain and the unpredictability of what will be impacted next or longer term.
What do you see as the hottest trends within your industry today?
There is an imperative for change due to the volume of scope of cyberattacks. As such, organizations and governments are more interested to see security as built-in. This trend is informed also by the push for encryption. Strong ubiquitous encryption has changed from a trend to an inflection point, shifting the management of security from middlebox solutions to the endpoint.
This provides a unique opportunity to re-think how we architect security to better scale, a topic where I have spent considerable time, publishing, “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain”, 2020.
What can we hope to see from your business in the future?
The Center for Internet Security provides best practice guidance in the form of well-established and trusted documents including the CIS Critical Security Controls and the CIS Benchmarks. While it is possible today to purchase products with validated adherence to these best practices, in the future, I expect to see increasing automation that scales to support foundational aspects of the CIS Critical Security Controls and other security control frameworks.
Examples include automated assurance of asset management that stems from trusted infrastructure assurance as well as vendors providing posture assessment on an ongoing basis against benchmarks. Ideally, this automation will be architected to scale with little management needed from distributed organizations, a model better suited to those with few resources such as those supported by CIS.