Kevin Gowen serves as Chief Information Security Officer for Synovus and is responsible for information and cyber security, physical security, business continuity, fraud, and financial crimes. He was named Chief Information Security Officer in 2015. Gowen earned Bachelor’s and Master’s degrees in Mechanical Engineering from the Georgia Institute of Technology.
He was a recipient of the James H. Blanchard Leadership award, was named Tech Exec Networks’ Information Security Executive of the Year in 2022, was a finalist for Technology Association of Georgia’s Technology Executive of the Year and received HMG Strategy’s Global Leadership Award as Mid-Cap CISO of the Year in 2023. Gowen is an alumnus of Leadership Columbus and serves as a board member of the National Technology Security Coalition along with serving on multiple advisory boards and in industry group leadership roles.
Following is the conversation we had with Gowen.
In what ways are new Information Security measures anticipated to impact and address the challenges faced in satisfying business requirements?
Cyber threats are becoming increasingly sophisticated. Updated security measures provide protection against a wide range of cyber risk and threats. This enhanced protection helps ensure the continuity of business operations.
Modern security measures help enterprises meet evolving regulatory requirements on cybersecurity and privacy. Along with maintaining regulatory compliance, robust security programs help build and maintain customer trust for the enterprise, supporting brand reputation.
Companies in every industry are driven by data, and the risks associated with data theft and loss continue to grow. Measures which enhance the security of this critical data and protecting it from loss helps ensure that valuable business intelligence isn’t compromised.
“Don’t neglect basic hygiene, network configuration, and data protection practices across your environment.”
Central to the CISO’s role is managing risk, both understanding and managing current risks and evaluating new and emerging risks. New security measures provide better tools to support this risk management focus, enabling enterprises to make better decisions about prioritization and allocation of resources.
Modern security solutions are designed to be scalable, allowing them to grow with the enterprise’s needs. This can reduce the need for frequent, costly upgrades or overhauls of the security infrastructure. Automation in security measures helps in reducing the manual efforts and time involved, improving efficiency. For example, automating threat detection and response using AI and Machine Learning can free up staff to focus on strategic initiatives.
An important element of new and evolving security measures involves fostering a security-conscious culture within the organization. Security training and awareness programs help reduce the risk of internal threats and human error, which are significant contributors to security failures.
All of these enable enterprises to operate more securely and efficiently, provide an enhanced level of customer service and support, and support the company’s strategic objectives.
What are some of the challenges in your business that current services are unable to provide an optimal solution?
Many businesses face common challenges in creating and maintaining an optimal security posture which aligns with their risk appetite. A primary concern is the increasing sophistication of cyber threats. Threat actors are constantly evolving their tactics and techniques, making it hard for existing security measures to keep up.
People represent a significant area of cyber risk, as both careless mistakes and malicious activity by insiders can be difficult to detect and prevent yet prove to be a significant contributor to reported security events. As more employees use their own devices for work (especially with the increase in remote working), ensuring the security of these devices and the business data they access is a significant challenge as well.
The enterprise environment is becoming more complex as well. As more technology infrastructure and systems move to the close, they become more difficult to secure, and can lead to a lack of clear understanding of responsibilities between security teams and their cloud providers in a shared security model. The attack surface has also become much broader, with the proliferation of Internet of Things (IOT) devices representing potential weak points which can be exploited.
Enterprises rely more and more on third parties to provide critical platforms, products, and services. Understanding and monitoring the security posture of third parties is a challenge, and represents a significant area of risk. Third party risk and supply chain attacks have been in the spotlight, with attackers targeting this to breach enterprise security defenses. There is also risk of zero-day vulnerabilities in vendor products which provide a vector for cyberattacks. Traditional solutions can struggle to defend against these until after the first attack is conducted and responded to.
The changing landscape requirements for regulatory compliance for both data protection and privacy create a challenge in balancing compliance with security. Security solutions sometimes require difficult choices by security practitioners to balance security and compliance needs.
What advice or recommendations would you offer to professionals in roles similar to yours, working in Information Security across different companies, regarding best practices and actions?
Information Security is a field that requires continual learning and adapting. Stay updated with the latest risks, threats, and trends. The landscape is continually changing, so it's important to keep learning. Attend webinars, keep up with industry news, and network with peers to share best practices and learn from each other's experiences.
It is important to understand your organization’s risk appetite. It is not practical to pursue perfect security, but you are responsible to manage risk in a way that aligns with the organization's risk appetite. Conduct regular risk assessments to identify key risks, quantify the potential impact of different types of security events, and prioritize your investments based on alignment to your company’s risk appetite.
Adopt a security framework such as NIST CSF or ISO 27001. These frameworks provide a structured approach to managing information security and a set of controls that align to best practices. You can then use this as the basis for assessing your program implementation of controls and their effectiveness. Conduct regular reviews of your security posture to assure it remains compliant to your policies and your prescribed controls.
Don’t neglect basic hygiene, network configuration, and data protection practices across your environment. Vulnerability and patch management, IT asset lifecycle management, network segmentation, data encryption, and having an immutable backup of critical data will help you avoid being an easy target and make it more difficult to exploit you if someone does gain unauthorized access to your network.
Security events will happen. Having a well-defined incident response plan, and frequently testing it, will help you respond more quickly, consistently, and effectively when events occur. Make sure all of your critical support areas – both internal and external – are included in your plan and playbooks and are part of your exercises. Include your executive team and board of directors to assure that everyone understands the process and their roles.
Focus on building a culture of security within your organization. The Information Security team is not the owner of cyber risk – it is owned by all of the stakeholders, and every employee plays a role. Provide regular security awareness information and training to everyone across the organization. Make the training engaging and highlight the greatest areas of risk to your industry and your company. Create accountability for engagement by every employee, as they represent one of the greatest areas or risk (even inadvertently), and potentially one of your strongest controls.
In the realm of Information Security, is there a technological development that you find most captivating, and could you provide insights into why it holds particular excitement for you?
One of the most captivating technological developments in the realm of Information Security is the integration of Artificial Intelligence (AI) and Machine Learning (ML) into cybersecurity solutions. This is particularly interesting because of how it can create opportunities to improve the ability predict, detect, and respond to cyber threats, while creating speed, scalability, and efficiency.
The capability to analyze historical data related to security incidents and use it to predict and prevent future threats allows for proactive security measures, significantly strengthening the enterprise’s security posture and reducing the need for reactive security measures.
AI and ML algorithms can learn to identify patterns and anomalies that might indicate a security threat, at a speed and scale that people can’t match. This capacity for real-time, automated threat detection can significantly reduce the time between a breach occurring and it being detected, which is crucial in limiting the damage. AI can help be applied to automate incident response, providing real-time insights into a security incident and suggesting response strategies. This can dramatically reduce the time it takes to respond to and recover from an incident.
It is always challenging to attract and retain enough cybersecurity talent to keep up with the changing risk and threat landscape. AI and ML can help here as well, by automating routine tasks, freeing up the security staff to focus on more complex tasks. AI-based tools can be applied to automatically verify patches, updates, and configuration changes against security policies, reducing the risk of human error.
Tools and technologies themselves are never the complete answer and bring their own risks and challenges. Governance and oversight is critical to avoid introducing new risks, and sound processes always need to be the basis on which advanced technologies are laid – rather than simply taking ineffective processes and making them reach the wrong outcomes more quickly. Nevertheless, when used wisely and in conjunction with other security measures, I believe they offer great promise for Information Security.
