Q&A with Pete Chronis, Chief Information Security Officer
October 5, 2016
There’s no hotter or more important topic for companies today than information security. Turner’s Chief Information Security Officer, Pete Chronis, is leading our efforts to keep company and consumer data safe while charting an innovative course for future products. We chatted with Pete about his philosophy toward IT security and how the industry is changing – as well as how he hopes to leverage his new role as a founding board member of the NTSC to help shape public policy.
Information security as a profession didn’t exist early in your career the same way it does today. How did you find your way into it?
It definitely wasn’t my goal early on to be in information security. Coming out of college, the discipline didn’t even exist the way it does today. When I was working at Earthlink, I was offered an opportunity to join the infosec team. I was skeptical since I had zero background in it, but a colleague gave me some great advice – she told me that I had all the right skills, and if I put my head down and worked incredibly hard, I could become an expert. If you talk my peers around the industry, most of us didn’t start our careers in security, and I think that give many of us an advantage at seeing the big picture and working collaboratively to solve problems.
What’s Turner’s approach to information security?
Our biggest job is to simultaneously look backward and forward. Here’s what I mean by that. Broadly speaking, half of our work is rebuilding legacy systems to be more secure. Every company runs on some systems that are five, ten, or fifteen years old – before infosec was as important as it is today. So we do a lot of reverse engineering. The other half of what we do is building new systems from scratch that will build our technological foundation for the next fifteen years and beyond.
What surprises people most when you tell them about your job at Turner?
People think of Turner as a heritage brand – which is a huge advantage in many ways, but “heritage” and “innovative” aren’t always seen as compatible. Yet Turner has the most ambitious technical roadmap I’ve ever seen. Everything we do – every business strategy, new initiative or acquisition – now has technology at its core. Some companies suffer from a disconnect between the executive leadership team and the technology and security teams. Executives often view security and technology as a cost, rather than a potential revenue driver. I’ve never seen a place that has more alignment in building technology and security right into the corporate strategy. When I talk about what we’re doing with my peers outside the company, they’re a bit jealous and many have said they would love to come work for us. Among the infosec community, Turner is definitely known as a group that is working to be ahead of the curve and to innovate.
One of the challenges in information security is that it seems like your work only gets noticed if something goes wrong. How do measure success in an industry that requires constant vigilance?
Because Turner does so many different things, success means different things for different parts of our company. For example, CNN is such an important and visible global brand that we’re constantly monitoring for hacking attempts. For our content channels, it’s fighting piracy. At the corporate level, we’re constantly improving our compliance processes to ensure we disclose according to a dizzying number of local regulations.
But more broadly, we have to keep perspective on the fact that there’s no way any company can completely eliminate risk or security incidents. There are two reasons for this. First, there’s no such thing as bug-free code. In fact, there are 5-7,000 commercial software vulnerabilities identified every year, and many more that aren’t identified. Like the old parable about the bridge painter who starts on one side and has to start painting all over again once he gets to the other side, we’ll always be identifying and fixing potential vulnerabilities.
The second reason, of course, is human error. Even if our systems were perfect, people make mistakes – whether it’s downloading a malicious file or unintentionally disclosing their login credentials – every single day. So we’re successful when we minimize incidents and minimize the impact of these incidents when they do occur.
From an industrywide perspective, what trend is most intriguing to you right now?
The Internet of Things is a total game-changer. A few years ago, almost all connected devices were desktop and laptop computers running Microsoft Windows or Mac OS. Today, the majority are phones and tablets running iOS or Android. Tomorrow, practically everything around us will be connected. My Nest thermostat at home runs on Linux. Right now, many of these consumer devices are far less secure than they need to be, particularly for commercial and government adoption. And we’re already seeing an uptick in incidents of IoT devices being hacked and used to collectively participate in massive security attacks. So the potential of IoT devices to reshape and improve society is inspiring, but the sheer number of potential new security vulnerabilities is staggering. From a career perspective, it’s a great time get into infosec.
You recently became a founding board member of the National Technology Security Coalition (NTSC). What are the NTSC’s goals?
There are a number of industry groups that lobby the federal government in order to influence information security-related legislation and regulation. They haven’t made significant progress and many worry that new laws and regulations can be extremely costly. But NTSC takes a different approach. We think it’s critical for the federal government to create modern standards that keep companies safe, protect shareholders and provide certainty. This can be done in a way that benefits everyone, and we want to be a part of the solution. And because we represent companies across virtually all industries, we take a big-picture view of the landscape.
If you could wave a magic wand and enact one new policy, what would it be?
That one’s easy – a national breach disclosure law. In the absence of a national law establishing when and how companies must report security breaches, there are more than 45 individual state laws, all with different requirements. For any company that operates in multiple locations, that can lead to incredibly complex, inefficient and expensive disclosure. I’m certain there’s a way to craft a federal law that protects the interests of shareholders and consumers, while saving companies headaches – not to mention money that we could spend on improving our security, rather than on complying with a needlessly complicated disclosure process.
Read more about Turner security from Pete Chronis.