Jan 16, 2024
Stacy Hughes, a finance technology (fintech) veteran with more than 20 years in the industry and CISO at Voya Financia discusses her security leadership philosophy with Cloudy with a Chance of Trust host and Zscaler CTO in Residence Pam Kubiatowski.
Editor's note: The following insights were taken from a recent episode of the Cloudy with a Chance of Trust podcast. You can listen to Stacy and Pam's conversation here.
CISOs are facing mounting pressures and challenges as they prepare for the new Securities and Exchange Commission Incident Disclosure rule, currently in effect, that requires public companies make public “material” cybersecurity incidents and company efforts surrounding cybersecurity risk management, strategy, and governance. For CISOs, this underscores the importance of communicating the business value of security to executive leadership and the board to ensure that security effectively and efficiently minimizes risk while supporting growth and profitability.
Recently on “Cloudy with a Chance of Trust,” our podcast for technology leaders, I had the privilege to speak with Stacy Hughes, a finance technology (fintech) veteran with more than 20 years in the industry and CISO at Voya Financial, a leading health, wealth, and investment company with more than 14 million individual workplace and institutional clients.
We discussed the evolving role of CISO amidst the SEC rule, innovation and AI in security, how diversity in talent builds more resilient teams, and the importance of mentorship. Through the lens of the highly regulated and compliance-oriented fintech sector, we see how security is built into everything Voya does and how to navigate complexity by communicating “the why.”
The CISO role is more visible than ever
The new SEC rule standardizes disclosure of cyber incidents by public companies, requires timely reporting (within four days of an incident), and places the onus of responsibility on the shoulders of the CISO. Between this regulation and recent fraud charges brought against the SolarWinds CISO, there is more focus on the CISO role than ever before.
No stranger to strict regulations, Hughes offers an optimistic perspective from her experience in fintech: “There is a bigger spotlight on the CISO role within an organization now, and it offers an additional communication aspect that may not have traditionally been there. It’s more important than ever to have a good partnership with the business and to communicate to senior leadership and respective boards in business terms the evolving threat landscapes and risk mitigation strategies.”
Given the economic headwinds we’re facing, I’m hearing from CISOs that it’s been a challenge to find funding to support initiatives they need to put in place. Hughes advises that “finding a balance between security and growth initiatives comes back to risk and communicating the business value that security can bring to the organization.”
She suggests a few strategies CISOs can leverage to garner the support they need:
- Communicate the why in business terms and tie that back to strategic initiatives.
- Align cybersecurity priorities to the organization’s risk appetite, and test your process for upward communication.
- Exercise incident response plans, and ensure they conform to new SEC guidelines.
An exciting time for security innovation and AI capabilities
Technology is constantly changing, and right now the “shiny new toy” is AI. Fintech security professionals are uniquely positioned to incorporate innovation into their practice. I asked Hughes to share how Voya stays on top of technological changes and leverages AI capabilities for security.
“The degree of compliance and regulation that we must adhere to means that security is embedded in everything Voya does—and this allows us to grow faster,” Hughes says. One example she shares involves the use of language learning models (LLMs), a form of AI, to protect customers’ assets from account takeovers. LLMs can predict fraud activity by taking an historical look at how a customer has logged into their account and tie that to their geolocation.
We compared the rise of AI to other technology trends. Hughes recalls, “I think back to when the cloud was new and there were a lot of questions about its viability. Now, the cloud is considered an amazing technology—a robust, scalable system with security and reliability built in. I see AI taking off on the same path. There are so many possibilities, like risk-based alerting or other capabilities down the road, that will help us secure our organization.”
Cybersecurity awareness at every level
Every CISO struggles to maintain a balance between protecting business assets, customers, and employees. During our conversation, Hughes touched on an important and often overlooked aspect of security: by securing your employees, you are securing your customers.
Voya trains employees at every level on cybersecurity. In addition to required security awareness courses throughout the year, Voya holds monthly meetings for all employees to learn about trends and topics and share takeaways that they can bring into their personal lives. Within the cybersecurity teams, employees develop individualized training, take online courses, and attend conferences to help them “sharpen the saw” with new tactics and procedures.
For business leaders and CTOs, Voya has assembled a cybersecurity steering committee that meets bi-monthly to educate leaders on the why behind the need for certain tools and processes to address aspects of the ever-evolving threat landscape. “We utilize this forum to help leaders understand the changing threat landscape, how we mitigate risk, and how their department might be impacted,” Hughes remarks.
At Voya, support comes from the top down. “I’m honored to meet with our CEO monthly to talk about our cybersecurity initiatives. Our customers entrust us with their savings, and this is a real honor and privilege, and it’s why we take security so seriously. It’s critical to our mission and great to have executive support for those initiatives,” she says. One of those monthly meetings recently took place as a fireside chat to discuss security. That conversation caught on internally, helping to spread their information security message.
Diversity and inclusion build resilient organizations
On this year's International Women in Cyber Day, Hughes wrote about the shortage of women in cybersecurity: women make up only 11% of the global cybersecurity workforce. “Diversity of talent brings broad perspective and wide-ranging insights, and, with cyber in a constant state of change, we will all benefit from cybersecurity teams with a 360° view of the landscape,” she shares.
We discussed the unique challenges women face in this industry and the inclusion efforts, especially aimed at those who are caregivers for children and other family members. She points out that, at times, women have been hesitant to join cybersecurity, especially at the CISO level, because of the high stress levels and poor work-life balance.
For each woman in cybersecurity, overcoming that challenge will look different, but Hughes offers some guidance on how she’s managed to be an effective wife, mother, and a senior security leader. “I talk with my daughter about the why behind my career choice and my job so she can understand what I do when I’m away. I can see the pride in her when she sees what I’ve accomplished. It’s important to share the struggles as well and model resilience,” she relates.
Finding support among peers and colleagues is a great avenue to achieving balance. Hughes explains, “I built a support group around me and was honest about my struggles to meet the demands of both work life and home life so that they could be there to help when there were things at home I couldn’t neglect.”
Hughes encourages cybersecurity leaders to double down on inclusion efforts to attract and keep a more diverse workforce:
- Provide guidance for those new to the cybersecurity industry and uncover their strengths and passions.
- Use those strengths and passions to help open doors and broaden their network.
- Be a sounding board for testing ideas and rehearsing important conversations.
- Give new team members the chance to present, and encourage them to speak up during meetings.
Supporting Women in IT
Hughes urges other women to mentor new security professionals: “I’ve had many supporters over the years, and now it’s my turn to help. It’s such a good feeling to be someone's cheerleader behind the scenes. As security leaders, there are only so many hours in the day, but we need to make the time.” Mentoring will help address the talent shortage, and, after all, mentees are the future.
Hughes shared a few amazing programs she’s participated in outside of Voya: Cyversity offers a six-month mentee/mentor relationship; City of Refuge innovation hub in Atlanta has a six-month training program focusing on cybersecurity skills for women in technology; and Women in Technology Single Mothers Program provides a cybersecurity certificate and job placement service.
You won’t want to miss Stacy Hughes at the upcoming Zscaler Women in IT & Security CXO Summit on January 23 through January 24, 2024. I encourage female CXOs to register today. Event details can be found here.
What to read next:
Security leaders under the spotlight with Voya Financial CISO Stacy Hughes (part 1) [podcast]
In conversation with Shelley Zalis, Founder & CEO of The Female Quotient
Recommended