Protecting the information and information assets at Fannie Mae, a primary source of financing for American mortgage lenders, is a daunting proposition. Christopher Porter, who has served as the Fannie Mae CISO since 2016, is up to the challenge.
Formerly known as the Federal National Mortgage Association, Fannie Mae was founded after the Great Depression as part of President Franklin Roosevelt’s New Deal. The subprime mortgage crisis and continued deterioration in the housing market led the Federal Housing Finance Agency to put Fannie Mae and Freddie Mac — another government-sponsored enterprise, formerly known as the Federal Home Loan Mortgage Corp. — into conservatorships in September 2008. Since then, Fannie Mae has weathered a major transformation, including increased regulatory oversight, adoption of customer-driven business processes, updated information technology and a rebuilt security program.
Porter moved into the Fannie Mae CISO position after joining the company as deputy CISO in 2015. Prior to Fannie Mae, he held senior roles at Verizon, as a lead analyst and author of Verizon’s Data Breach Investigations Report series and co-creator of the Vocabulary for Event Recording and Incident Sharing (VERIS) framework. Porter, who holds a bachelor’s degree in both economics and psychology from the University of Virginia, has worked as an information security consultant and as an economist.
Along the way, Porter earned a master’s degree in management of information technology (MIT) from the University of Virginia’s McIntire School of Commerce, where he is currently a member of the M.S. MIT Advisory Board. The Fannie Mae CISO also serves on the board of directors at the FAIR Institute, which uses the factor analysis of information risk as a framework for handling decision-making in line with on a standards-based quantitative model. Here, he talks about how his experience prepared him for running security programs at Fannie Mae.
Your background includes a dual degree in economics and psychology — not necessarily a “typical” starting point for a CISO. Could you comment on how that education has shaped your approaches to cybersecurity as the Fannie Mae CISO?
Christopher Porter: I actually started at University of Virginia in pre-med, and then I met organic chemistry and we didn’t get along. I was interested in economics and psychology because they’re both about human behavior. Economics is about behavior with regard to scarce resources and rational responses to that. Psychology is about personality, social psychology, psychobiology, and the underlying mechanisms that cause people to behave a certain way. Together, you would think it would give you a better understanding of human behavior. … Funnily enough, the whole field of behavioral economics is a mishmash of those two fields. I was peeking at that when I was in college, all the biases we have and how we behave. …
I also have my master’s in management, which I got some years later. Ultimately, what I have learned from my education, and economics certainly, is around decision making. Ultimately, cybersecurity is built around risk management, and that is built around how you make decisions in an organization, and that in turn is based on what kinds of data you collect and what biases you have — and what the bad guys are doing. It is a game of tradeoffs.
What are your biggest cyber challenges, and how are they different from, say, banks or organizations on Wall Street?
Porter: I think every company is different in a lot of ways. We tend to group companies in terms of their industry, and all of the companies are perceived to have the same threat, but that is not exactly true. I remember when I was working on the Verizon Data Breach Investigations Report, we found that different companies had different threat profiles.
We are different from most banks on Wall Street; we’re a business-to-business operation in the secondary market that creates liquidity for people to buy homes. We do have consumer information because, if you buy a house in the United States and it is a conforming loan and it comes to us and we buy it, then that is the kind of information we get, just like other banks on Wall Street. [Banks] have personal information that they have to protect, but they are business-to-consumer companies, so they have more fraud concerns. They have to worry about people logging into bank accounts and transferring money.
Our worries are more about the availability of our systems. Banks have to be up and running all the time so consumers can connect and access money and do online bill pay. We have to be online for our customers — those banks making loans. They have to be able to use our systems and integrate with us at any time.
Certainly, every company is concerned about any kind of breach, whether by organized crime or nation states. We don’t want the Equifax breaches to happen to us, and we are also concerned about availability-oriented threats like ransomware or other types of malware.
A few years ago, Fannie Mae suffered a number of serious cyberbreaches involving contractors with unauthorized system access. What lessons did the organization learn?
Porter: We now pay attention to both contract and regular employees. They’re both insiders; that’s our perspective.
What lessons did the organization take from that, how do you work to prevent those incidents today, and do you have any recommendations for others fighting that same battle?
Porter: Like most organizations, we are concerned about lessons learned. My experience at Verizon taught me that one of the best sources of improvement an organization can have is learning from the incidents they have had. That is what the Verizon breach report is all about, using VERIS and various frameworks to understand who did what to what assets.
We take that same approach with all our incidents here and break them down into components. It is important to need to be learning as an organization and take those lessons and put them back into your practice. What controls should you implement so it doesn’t happen again?
What were the big takeaways from your career at Verizon and, in particular, having had that infrastructure view?
Christopher Portervice president and CISO, Fannie Mae
Porter: When I first started, the amount of data that companies and CSOs could use to make decisions was very limited. As we started putting that report together in 2007 and 2008, there was a hunger for that kind of information, and we were able to fill that void. I think that has gone a long way toward helping people make better decisions in organizations. I mentioned threat profile by industry and how companies often need to allocate resources differently. That is what has helped me immensely and brought my career into running programs here at Fannie Mae: understanding our company, what we do, how we make money, what our businesses are. That kind of information drives the kind of things we do here. However, there is still a lack of data in the industry. Even today, when we talk about best practices, there isn’t a lot of data telling us what best practices are.
Like with a data breach, it is a name-and-shame kind of thing, where the talk is about how many records were lost, or whatever, but not much is explained about how it happened. Was it software that wasn’t patched? We don’t get to that level the way the National Transportation Safety Board does with aircraft accidents. The information they gather and share is very helpful to a lot of airlines and manufacturers. In cybersecurity, there is some information sharing, but it is just to a certain point: It is threat information that is shared. But how things happened, it is often not shared.
D.C. has so many vital institutions and organizations that need a strong cyberdefense. Is it difficult to find the people you need within the region?
Porter: I think every company struggles with their cybersecurity personnel needs in some ways. You don’t have to go too far in your reading to know there is a big discrepancy between supply and demand. I’ve read there could be 1.1 million jobs unfilled by 2020. You see hot spots across the United States. The D.C. area probably has one of the largest supplies of cyber people in the U.S., but also a lot of demand.
What is the D.C. area cyber community like in terms of information-sharing organizations?
Porter: We work with lots of different organizations. The Financial Services Information Sharing and Analysis Center is the biggest. We participate quite a bit, and we have people go and present at various summits.
[FS-ISAC] is across all financial services organizations. But we also share attack information through other avenues. [As the Fannie Mae CISO], I am part of several informal CSO groups where we talk about best practices and policies and how we are running our programs. That allows us to take each other’s learning and bring it back into our organizations. It is not a zero-sum game; information sharing raises the waterlines for all of us.
As a government sponsored entity, does Fannie Mae have to adhere to directives like the Federal Risk and Authorization Management Program?
Porter: No, we don’t have to follow FedRAMP, but we do have a regulatory oversight from the Federal Housing Finance Agency. They have published bulletins we have to follow, and we have adopted the National Institute of Standards and Technology Cybersecurity Framework. I think I saw a statistic that 80% to 90% of the financial services industry companies have adopted NIST as a framework.