Paul Connelly built the first cybersecurity programs at two of the world’s highest risk organizations – the White House and HCA Healthcare (one of the largest healthcare providers in the U.S.). He led those programs for a combined 28 years in CISO roles, and in-between, he spent six years building a cybersecurity consulting practice at PricewaterhouseCoopers. He is broadly experienced – C-level leader at a Fortune 100 company, partner at a big four public accounting firm, and senior civilian at a DoD agency at the White House supporting three U.S. presidents.
Paul is also a developer of people, with thirty-four team members selected for CISO positions, and by now serving as a cybersecurity educator.
Recently, in an exclusive interview with CXO Magazine, Paul shared his career trajectory, insights on the key threats in the cybersecurity industry and its future, the essential skills required by a modern CISO, pearls of wisdom, and much more. The following excerpts are taken from the interview.
Paul, we would love to know about your journey into cybersecurity and ultimately how you became a CISO.
I’m not sure how the planets aligned this way, but I have bachelor’s and master’s degrees in agriculture, yet somehow landed a job at the U.S. National Security Agency in the early days of information security – 1984. The Internet, mobile phones, and the terms “cybersecurity” and “CISO” did not yet exist – we were primarily focused on cryptography and stopping the Soviet Union from spying on us.
In 1987, I was detailed to the White House to build the first information security program to protect the “national security systems” that link the defense, intelligence, and diplomatic communities with the President, Vice President, National Security Council, White House Situation Room, and presidential travel anywhere in the world. In 1989, they named me the first ISO – Information Security Officer and I stayed until 1997, serving under Presidents Ronald Reagan, George H.W. Bush, and Bill Clinton.
It was an incredible learning experience and honor – working in the White House, supporting the President, traveling all over the world, and doing a job where I was making a difference.
I left in 1997 for the opportunity to start an information security consulting practice at PricewaterhouseCoopers. I worked with multiple Fortune 500 companies’ senior leaders and boards, became a partner, and learned how InfoSec must integrate with business strategy and operations to be successful.
I had another opportunity to build a program for a high-risk organization in 2002, when one of my PwC clients, HCA Healthcare, asked me to be their first CISO. I stayed in that role for twenty years, transitioning from CISO to Chief Security Officer as Privacy, Data Governance, and Physical Security were brought under my oversight in 2012. I retired from HCA last April.
Across my career, I was in the right place at the right time and was surrounded by great people – as evidenced by having 34 members of my teams rising to become CISOs.
My hope is to serve on boards of high-risk companies the next step in my CISO evolution.
What are the key threats in the cybersecurity industry right now? What are the main challenges CISOs are facing?
The threats are relentless and continuously rising – becoming more sophisticated, customized to their targets, and stealthy in their approach. The “Big Four” threat actors continue to be China, Russia, North Korea, and Iran, and their attacks aim for financial gain, military or geopolitical gain, theft of data and Intellectual Property, and/or just creating chaos.
Generative AI is making the threat worse by enabling more-refined selection of targets, identification of attack paths, higher quality of attacks, and greater velocity and span of attacks. AI is also lowering the “cost of entry” for criminals to get into hacking. We are already seeing AI used for phishing and other social engineering attacks, and Deep Fakes of voice and video.
Defending against these threats is continuously getting harder, too, as companies’ boundaries are blurred by 3rd party dependencies, use of the cloud, M&A, and partnerships. Fortunately, Gen AI will also help us improve the identification of threats, vulnerabilities, and response actions. The defender is always trying to find the needle in the haystack, and Gen AI will help.
If I were to pick the biggest challenge CISOs face, I’d say it is a lack of connection with the senior leadership and board levels. CISOs need to operate at that level in their organizations, and many do not have the skills or do not have an audience that understands their challenges.
What significant changes do you see occurring within the information security market over the next 3 to 5 years?
I think the market will continue to introduce great new capabilities, largely relating to Gen AI, and will (hopefully) see some consolidation among all the single-threaded solutions.
The 3-to-5-year window may include the arrival of quantum computing, which will introduce major cybersecurity challenges, but also opportunities for improving defenses.
I also think this time period represents an inflection point in the evolution of the CISO role, and CISOs need to up their game – not as cybersecurity experts but as business leaders – to secure a seat at the senior leadership table and on boards. To make that happen, the modern CISO needs to step up from the SOC and grow to operate as a senior business leader – by developing business strategy understanding, communication skills, financial acumen, engagement in strategic programs, and other leadership abilities their C-Level peers demonstrate.
The role of the modern CISO is changing. Based on your experience, what are the essential skills a CISO should have now?
The modern CISO not only needs to understand IT and drive cybersecurity strategy and operations, but they also need to be business and culture leaders. Being a world-class cybersecurity expert is not enough to be a modern CISO.
The role is more important than ever – it is a critical risk at most companies, and to be effective, CISOs must operate at the senior leadership and board level. Being a cybersecurity expert is not enough to earn a seat there – CISOs need to be trusted partners of business leaders, great communicators to all levels, engaged with the workforce and operations, contributors to business strategies and the financial situation, and well-rounded executives who engage in other areas, like employee culture and governance.
What can organizations do to create a positive experience for applicants?
It is all about culture. When cybersecurity is integrated into operations, viewed as a business enabler, placed in the right position in the organization, and everyone shares a sense of ownership you have a great culture that creates a positive experience, attracts talent, and retains good people.
What do you think about when you hear integrity? Particularly system integrity. How important is that in security, compliance, or just operations?
Integrity is the most overlooked part of the security triad of Confidentiality, Integrity, and Availability, because most cyber-attacks go after data theft or availability. However, integrity attacks, e.g., the manipulation of data, could be extremely damaging and another way for cyber criminals to leverage financial returns. In research, healthcare, financial statements, etc. – integrity is crucial. Cybersecurity is all about integrity and trust, and that is foundational to compliance and organizational success.
What do future information security careers look like? Any strategies you would like to tell us about to future-proof a career in this industry?
It is a great career option – huge demand and short supply.
One point is – you do not have to be super technical. Some of the best members of my teams have been psychology, journalism, business, and philosophy majors. I studied agriculture! What matters is the desire to learn and work – that inner drive, not the training or major.
Degrees and certifications are great, but nothing tops hands-on experience. In my last role we would bring in summer interns as soon as their freshman year in college – I highly recommend getting real-world experience over certifications.
One of the shifts for CISOs is that our “soft skills” are critically important going forward – as I said earlier, being a technical expert is not enough – the ability to communicate well, building trust with business leaders and the workforce, and being a culture builder have become a key part of the role. I used to say fifty percent of my CISO role was being an evangelist for cybersecurity.
Last point – CISOs need to develop the future generations of cyber leaders to be both cyber experts and business leaders. It should start early in the colleague’s career – getting them broad training and exposure. If a member of your team wants to go for a master’s degree – point them toward an MBA instead of a technical degree. Give them experiences in external areas such as community service and governance to broaden their perspectives.
What takes a CISO from good to great?
Going from a technical cybersecurity leader to business leader.
How do you stay up to date on emerging trends and threats in cyber?
It is a daily part of the job – I do daily reading from multiple news sources and white papers, listening to podcasts, and attending conferences when I can. Teaching others also forces me to stay current.
What advice would you give other CISOs or hope-to-be CISOs?
Build broad cybersecurity skills as the foundation, develop complementary skills like communications and business understanding, and then seek experiences that will make you a well-rounded business leader and trusted partner.