Secret CSO: John Petrie, NTT Security

Name: John F. Petrie III

Organisation: NTT Security

Job title: CISO

Date started current role: October 2019

Location: NTT’s corporate HQ is Tokyo, Japan; My US location is the San Antonio, TX area

John Petrie is the CISO at NTT Corporation. His current responsibilities are the harmonisation of security technologies and standards across NTT’s portfolio of businesses. He is an accomplished senior executive with more than 35 years of success in the manufacturing, financial services, defence, technology, security, telecommunications, education and healthcare industries. Petrie areas of expertise include information security strategy, information security policy development, risk management, analysis and mitigation, security compliance and enterprise information security operations. Petrie is the President of the Alamo Chapter of the Information Systems Security Association (ISSA), a Member of the Board of Directors for the Cyber Threat Alliance (CTA), and an Advisory Board Member for Morphisec, Ltd., among others. 

What was your first job? I was a land surveyor.

How did you get involved in cybersecurity? My father’s love of computers led me down this career path (My first computer was a 6inch screen with components made up of vacuum tubes).

What was your education? Do you hold any certifications? What are they? University Degrees:

• Master of Business Administration, City University
• Bachelor of Science in Liberal Arts
• Graduate of the Defence Intelligence College
• Associate Degree in General Studies

Professional Certifications:

• Certified Business Manager (CBM)
• Certified Information Security Manager (CISM)
• Certified Homeland Security Protection Associate - Level III (CHPA-III)
• Certified Information Systems Security Professional (CISSP)
• Certified in Risk and Information System Control (CRISC)

Explain your career path. Did you take any detours? If so, discuss. My career path began in 1976 when I joined the Marine Corps. Serving in many positions including Intelligence Assistant, Intelligence Chief, Naval Space Operations Chief, Intelligence Operations Chief, Signals Intelligence Chief, Special Security Office Chief, among other duties as assigned.  Retiring in 1996 after 20 years of service, I chose an Information Security career, with my first civilian position as Systems Security Analyst with Lucent Technologies (Bell Labs). Publishing two technical publications and training over 700 students in technical security tools, I found that I was well behind my peers. I made the choice to move to multiple companies gaining experience and moving upward in the private sector.

My next position was working for CACI as a Senior Systems Engineer assigned to the Directed Energy Laboratory providing UNIX based support.  From there I moved to Sprint, assigned as a Project Manager and ultimately becoming the Service Delivery Manager for the region. From there I took a path to gain experience in security consulting, taking a position at Netigy Corporation initially as a Consulting Services Manager, and then being promoted to Senior Principal Consultant. At this point I made the choice to move into senior management by taking a position with Trendec Corporation as the General Manager and Director of Security. I note that at this point, 9/11 had occurred and most of our clients were devastated. I became unemployed for a short period of time, so I decided to finish my MBA. My next position was the Chief Information Security Officer (CISO) for the University of Texas Health Science Centre, creating the stepping stone to future CISO positions.  After serving in the Academic arena, I took a position as the CISO for Harland Clarke (formerly Clarke American), becoming the SVP of Infrastructure and Chief Information Security Strategist.

After 10 years I moved on to form my own consulting business while at the same time taking a position with IBM as an Executive Consultant. After a couple of years, I was offered a position as the CISO for Solutionary (later acquired by NTT). I was promoted to Global CISO for the new company, called NTT Security. After a few years as the Global CISO, I had an opportunity to take over as the CEO of NTT Security Americas, and then moved up to NTT Holdings as the Counselor to the NTT Global CISO. I am now CISO at NTT Security Holdings. I go into more detail on my career journey in my book, “From Private to CEO (And Some Stuff In Between).”

Was there anyone who has inspired or mentored you in your career? Let’s remember that information security/cybersecurity is a relatively young field. At the beginning of my career there were not a lot of people that were seasoned – we were all learning as we went, using trial and error. I think Whit Diffie, the writings of August Kerckhoffs, Dorothy Denning, and Eugene Spafford, to name a few that influenced me a lot. But I have had many mentors over the last 40 years, from business, military and technical. Some I talk about more in my book.

What do you feel is the most important aspect of your job? The CISO job landscape is always changing and the threats and struggles you may face as a CISO go beyond protecting the organisation’s data from potential attacks. Adversaries are fully aware of how our threat landscape is expanding and that we have limited resources. Now more than ever, everyone has an important role in strengthening the kill chain. Sharing data and creating partnerships is one of the most important aspects of my job. By doing this, we enable more effective responses and better predict future techniques to deter adversarial efforts.

What metrics or KPIs do you use to measure security effectiveness? Compliance to security policy; number of cyberattacks, coupled with the number of successfully mitigated or handled incident; number of unidentified devices on the network (determining the use of shadow IT in your ecosystem); and user experience, to name a few.

Is the security skills shortage affecting your organisation? Yes. What roles or skills are you finding the most difficult to fill?  It’s not just the roles but the lack of qualified applicants. In addition, 53% of the population in the US is female, but only 1 out of 500 resumes submitted for an open cybersecurity position is from a female applicant, and the ratio for women in security executive positions are drastically lower still.

Cybersecurity is constantly changing – how do you keep learning? Reading articles and blogs, attending CISO exchanges, participating in Security50, a private peer communities that enable CEOs and C-level executives at globally respected organisations to discover better ideas, share valuable experiences and build relationships that make a lasting impact, collaborating with the Cyber Threat Alliance to share and hear expert analysis and news on the most important issues facing the cybersecurity industry today, and other organisations.

What conferences are on your must-attend list? Defcon and Black Hat; targeted Summits like the CISA National Cybersecurity Summit; Regional CISO Roundtables.

What is the best current trend in cybersecurity? Cybersecurity architecture and the integration with enterprise architecture; already looking to the future and considering things like quantum security; more collaboration between the U.S. government and private sector. The worst? Complete dependence on a single security product/solution. Cybersecurity needs to be holistic and strategic to be successful and completely depends on top-notch people, process and technology.

What's the best career advice you ever received? A dinner is never just a dinner.

What advice would you give to aspiring security leaders? Be true to yourself. Don’t be afraid to speak the truth. This is how you know you’re working with a good leader. A good leader will listen.

What has been your greatest career achievement? Over the span of my career, I’ve had the opportunity to advise state governments on encryption capabilities and have provided input on cybersecurity related topics with the federal government in multiple capacities, such as the Department of Defense and Homeland Security. But most recently, I have been selected to serve on the Joint Cyber Defense Collaborative (JCDC) and will be advising Jen Easterly, the Director of CISA. The JCDC brings partners—including those in federal and SLTT governments and the public and private sectors—together to unify defensive actions and drive down the occurrence of major cyber incidents. Led by CISA, this collaboration is designed to strengthen the nation’s cyber defenses through planning, preparation, and information sharing.

Looking back with 20:20 hindsight, what would you have done differently? From a career perspective, I would have spread my time differently.  During the pandemic - working from home, I found that I was attending more meetings covering multiple time zones, and was not giving myself enough personal time to decompress.