For those who have grown up with the internet, it’s probably hard to imagine a time when cyberattacks did not loom as an existential threat to organizations. But the role of Chief Information Security Officer (CISO) is a fairly recent invention, coming into existence in 1994 after Citigroup, the financial services behemoth, experienced an embarrassing series of cyberattacks.
During the early days of the job title, the CISO role was mainly one of managing the technical aspects of information security—implementing firewalls or intrusion detection systems. Today, increasingly complex cloud-based systems have ushered in an era of sophisticated ransomware that has made the situation exponentially more complex.
The CISO now plays a critical organizational role, in close contact with both C-level executives and the board of directors. They act as strategic thinkers at the intersection of business, technology, and policy, drawing on a diverse array of skills and expertise.
That job description could hardly be a more perfect introduction to Taiye Lambo.
Lambo has worn many hats across his career—engineer, serial entrepreneur, visionary, author, CTO—and the first-ever CISO for the City of Atlanta. He also worked as the Director of Cyber Security Strategy at the Federal Reserve Bank of Atlanta, creating a cybersecurity model that other Federal Reserve banks would follow.
The throughline of his career is an unceasing effort to break down the various silos within organizations that create security and compliance risks. He is also deeply committed to increasing the diversity of the cybersecurity community.
Planet Mainframe’s managing editor, Amanda Hendley, recently sat down with Lambo to hear his story, to get his take on the current state of cybersecurity, and to hear about what he’s working on now.
PM: Can you tell us a bit about your background and what you’re up to now?
TL: I like to consider myself a serial entrepreneur. I’ve been in cybersecurity and risk management for about 26 years, and I’ve co-founded several companies. My first executive information security roles were for John H. Harland (now Harland Clark) and City of Atlanta, where I was deputy CIO and the first CISO for the city.
In addition to eFortresses and HISPI, I also launched CloudeAssurance, which focused on cloud security ratings—pretty much like a FICO store for cloud security as well as enterprise security. We pioneered that space called Security Rating Services or Cyber Risk Ratings.
Recently I co-founded a family business called Lambo Publishing, which helps people go from manuscript to published in six weeks. I’m also an author. I’ve published a book called Attribution: Social and Cyberspaces.
PM: Diving right in, cybersecurity security and business operations have evolved because technology has evolved. When do you think we started to see a shift into what modern cybersecurity is?
I think we saw two phases of that.
Back in the early to mid-90s, you needed like five different search engines to actually find information on the web, and they were very limited. And then in the late 90s, early 2000s, Google suddenly surfaced, right? And Google became synonymous with searching the web, which is when we saw that sudden shift to e-commerce online. Everybody wanted a website, everybody saw the value of having a web presence.
But because of workloads and businesses moving online, we saw the attacks go up and it created an ecosystem. So a lot of hackers that used to use dial-up modems and hack into bulletin board services could suddenly hack a system from an IP address without actually getting easily traced.
Then ten years ago we saw another evolution. We saw people moving stuff to the cloud. And suddenly the crown jewels—all types of data—moved from on-prem. And the attack surface increased again, exponentially. And we started hearing about big data and analytics, and companies started mining our data. And that meant they stored more data, right? And because they had all that data, they also started getting attacked.
So I think cybersecurity has always tried to play catch up with technology, but technology has always led, if that makes sense. Now we’re talking AI, just another type of risk.
PM: What do you think are today’s biggest vulnerabilities for a company?
We always say security is about people, process, and technology—but I’ve found people to be the weakest link. Now if your readers see that, they’re probably going to be like, “Yeah, we’ve been saying that [users are the problem] for 20-plus years.” But, in my opinion, it’s not users, it’s the security community that is the weakest link from a people standpoint.
This may sound controversial but I want to challenge our industry. Because it’s really our fault that users are the weakest links since we’re speaking to them in the wrong language. We need to start using business language, not technical—what I call bits and bytes. So that’s one issue I see.
The cybersecurity community is also not as diverse as the bad actors. The bad actors come from every type of people, every nationality. I don’t think you can pick one country in the world where you don’t have a bad hacker. Right? Everywhere.
And I would say the lack of diversity is a big challenge from a people standpoint. And if we don’t have that level of diversity, we’re short-changing ourselves because the bad actors share, and they collaborate—but we don’t do as much as they do. So at the minimum, we’ve got to have the diversity of perspective, the diversity of thought, diversity of background that they have to at least be able to catch up.
And then the third weakness is that we have a major talent shortage. Currently, there are at least half a million unfilled jobs in the US—and it’s still going up. I know this sounds really gloomy, but maybe this is where AI can help us. Responsible, safe, and secure AI.
PM: You’ve mentioned AI a couple of times, and I’m curious if you can talk a little bit about how AI is a threat, but also a tool that can be used.
I recently led a panel discussion at AFCEA Homeland Security Conference and the title was: Artificial Intelligence: Threat, Opportunity or Both? I actually believe it’s both, but the leaders on the panel and about 60% of the audience were leaning toward opportunity.
I believe it’s both because I think, while I see the opportunity, I also see the risks. I see what can go wrong. When we talk about AI, what does it really mean to have a trusted AI model? And I’m happy to say that that’s actually one of the things that my nonprofit, HISPI, has been able to do within our first hundred days of starting a think tank called Project Cerebellum.
We’ve actually launched the Trusted AI Model, which is based on the NIST AI Risk Management Framework. We’ve taken that as kind of a baseline, and we’ve mapped it to the different ISO standards. Our next task would be to map that to the EU’s AI Act.
Ultimately, I’m trying to drive my think tank to create a rating system for what a trusted AI platform looks like. But the starting point is to take all the existing frameworks, harmonize them, and promote them so folks can actually start using them to make AI safe and secure.
PM: Can you tell us about HISPI and how it relates to training?
Holistic Information Security Practitioner Institute (HISPI) is my passion. We started an outreach program about six years ago called the Cyberist, and our goal is to help fill [cybersecurity’s] talent, skills, and diversity gap. So we’re heavily focused on minorities, veterans, and women—typically underserved groups within the cybersecurity community and people who don’t have technical backgrounds.
I’m an engineer by training and the challenge is technical people tend to approach problems from a technical standpoint and less from a common sense or from a business standpoint.
We value people with technical backgrounds, but some of my best mentees over the past 20 years are CISOs and CIOs who have degrees in Spanish, English, History, Music. So we’re trying to get more folks like that into the industry and on the leadership path.
A recent success story is one of my mentees who started the program last year. Prior to that, she worked for 27 years as a flight attendant. She’s midlife, about my age, and in less than a year, she’s gotten two job offers—one with the existing airline that she works for, United Airlines. She’s crossed over from a flight attendant to the security team and she also got a job at a local company where she lives in Florida.
I told her she was an overnight success, 27 years in the making. Your life skills, the people skills, the soft skills you’ve learned for 27 years, we need it in this industry. And that’s what I saw from the very first time I spoke to her.
PM: One last question. For someone who wants to get into cybersecurity and information security, what’s your advice on their career path?
Great question. I would say the first thing is to find a mentor—and then to make sure that you’re teachable and hungry and humble because that’s going to help the mentor help you. In addition, you have to have a critical-thinking mindset, and be business-minded, and you have to be willing to invest in yourself. So if that means actually spending money, you may have to do that. And then you have to value your mentor’s time as well. I think all these things go together.
Amanda Hendley is the Managing Editor of Planet Mainframe and Co-host of the iTech-Ed Mainframe User Groups. She has always been a part of the technology community having spent eleven years at Technology Association of Georgia and six years at Computer Measurement Group. Amanda is a Georgia Tech graduate and enjoys spending her free time renovating homes and volunteering with SEGSPrescue.org in Atlanta, Georgia.