THE POWER OF MENTORSHIP
“I would not be where I am in my career if not for my very first mentor. She was the Deputy CIO at the FDIC when I worked there as an assistant early in my career,” explains Holly Ridgeway, the Executive Vice President and Chief Security Officer of Citizens Financial Group. That early and critical mentorship set Ridgeway on a successful trajectory, from college through the government, private sector and to her current role as CSO at Citizens.
Ridgeway continues, “The mentorship relationship is extremely important for everyone in IT and information security, but especially for women and minorities. I have selected a mentor at every organization for which I have worked. My first mentor from the FDIC is retired now and I asked how I could repay her for all she did while I was under her wing. She said I should pay it forward. I have tried to live with this as my core philosophy ever since then.”
Ridgeway has taken that request to heart. She is concerned that the United States is lagging behind other nations in the development of cyber security talent. That concern combined with her commitment to mentoring inspired her to take on a number of advisory roles as she has advanced in the information security industry. Ridgeway teaches the capstone course in information security at the University of Maryland University College. She strongly supports the Wounded Warriors program, as well as women and minorities to help them understand the exciting opportunities available in the cyber security industry. Recently, Ridgeway attended the National Governor’s Conference and made contact with Girls Who Code to support groups that help close the gender gap.
She encourages other CISOs to reach out to young people to educate them about careers in information security. She says, “We need to start at an earlier age, we need to give students access to curriculum that will drive their interests. Everyone thinks forensics is what they see on CSI, and they are excited by that. Forensics is also important to cyber security, but right now the interest is not driving enough people to enter our industry.” Ridgeway believes one reason is the negative press attention given to cyber security. “The breaches and hacks in the media make cyber security seem scary. The truth is there are many interesting aspects to cyber security, but we do not do a good job of educating them.”
In Ridgeway’s opinion, young people can be a tremendous asset to her team. She says, “These are our team members who are recent college graduates/interns just starting their career in cyber security. They are not boxed in by assumptions or past-preconceptions. They are extremely innovative.”
APPLYING LESSONS LEARNED
In her diverse career, Ridgeway helped build out the FDIC’s FISMA compliance program, participated in the creation of the information assurance program at the FBI and has stood-up many Security Operations Centers, the first one being at the FBI years ago. Ridgeway has collaborated with many government and private entities including; NIST, DHS, BITS and the FSISAC. She took on the CISO role at PNC, then expanded her expertise across more industries while consulting at Mandiant. She currently is on the board of Directors at the NCFTA.
Now as CSO at Citizens, Ridgeway reports into the Head of Business Services, who reports directly into the CEO. This organizational structure gives Ridgeway strong visibility within the company, and exemplifies the bank’s commitment to security. Her team is comprised of approximately 200 employees who work across seven specific functions ranging from cyber defense and physical security to identity and access management.
Over the years, Ridgeway has defined an established method for starting her program with any organization. “In the first 90 days, I observe. I dig into all the programs, I build relationships and I emphasize collaboration. Citizens had already made great strides in security before I arrived. As I looked at the program it was already in alignment with the business, and I can focus on ensuring our program evolves to address new risks and requirements.” She explains how the company is currently reviewing required adjustments to be in compliance with the NY DFS cyber security regulations.
Ridgeway is applying her deep understanding of risk assessments and gap analysis to identify the improvements to keep pace with business changes. In addition to helping her identify new risks, the assessment provides a good baseline, helping Ridgeway understand which data is most important to the organization, and where that data resides.
Ridgeway notes, “My team is strong, and the foundation of the program is very strong as well, but it is my job to understand emerging threats and most importantly ensure we are continuing to align strategically with the business. Each time a business unit unveils a new distribution area or a new service, our security risks also change. My team needs to be able to adapt to that within our program. We have to ensure that security is transparent to the business and customers.”
FOCUS ON PROTECTING DATA
Ridgeway keeps her team and program on track by maintaining clear tactical priorities as well. She explains, “In the end, security is all about protecting data. Data, data, who has my data? That means we need to take a close look at the technologies that we rely on and also the third parties that have access to our data. We need to understand what their security looks like as well.”
Among Ridgeway’s first steps at Citizens is an evaluation of the security technologies running inside the company. “We are in the middle of a total review of our systems. First, we are looking at those systems that require a lot of daily care and feeding – intrusion detection systems, tools for monitoring correlation, identity and access management and network visibility. Are we maximizing the performance of our investments? There is no point in running a security tool that does not deliver actionable data and value.”
Ridgeway suggests that while many of the larger security vendors have added technologies to their product suite, those new solutions sometimes suffer from lack of funding and focus. “We have to be careful about consolidation. ‘Jack of all trades’ and ‘master of none’ definitely applies to some of the bigger vendors. As an organization, we still need specialty products. In general I am a fan of mixing it up as part of a defense in depth strategy. That way an organization’s network is not exposed to the vulnerabilities of a single product.”
For advice on which new security innovations to bring into the organization, Ridgeway relies, in part, on the same people she herself is mentoring. She explains, “My students are required to do a technology evaluation as part of the course curriculum. The information they pull together is very insightful.” She combines input from her students’ reviews with insight from all industry sectors, conferences, employees and peers, and relies on bake offs and proofs of concepts to validate solutions before implementing them at the bank.