Interview: Michael Higgins, CSO, New York Times

Safeguarding one of America's most respected news organizations is Higgins' primary objective
Safeguarding one of America's most respected news organizations is Higgins' primary objective
Michael Higgins, The New York Times Company
Michael Higgins, The New York Times Company
The Great Wall of China, Higgins reminds us, is a timeless example of why multi-layered security is a must
The Great Wall of China, Higgins reminds us, is a timeless example of why multi-layered security is a must

A quick glance at the resume of Michael Higgins reveals some rather impressive security-related credentials. The current chief security officer of The New York Times Company has been in the business for more than 20 years, in both the private and public sectors. It’s his time in the public arena, however, that has set the table so nicely for life in the business world that followed.

But first, came Higgins’ studies at Northeastern University in Boston, where he earned a bachelor’s in criminal justice. I asked Higgins about the somewhat tangential link between his current role at the New York Times and that of his educational training in criminal justice.

He simply nods his head. “I’ve come full circle there”, Higgins agrees. He then recalls how, upon graduating, he contemplated going to law school.

The Army, however, offered him an opportunity to go to flight school and learn how to fly helicopters. “I’m like, you’re going to pay me?”, an incredulous Higgins recounts.

That was in 1979, where he made good on his goal, moving on from basic training to become a helicopter pilot. For nearly the next 15 years, Higgins would serve in various military and intelligence roles, including stints as the director of the Defense Intelligence Agency’s Computer Emergency Response Team and deputy director of the Defense Information Systems Agency.

His secondary role in the military was as an operations research systems analyst, and he earned a master’s from the University of Southern California in systems management operations research, while simultaneously serving his country. This led to an opportunity to be a test officer for telecommunications equipment, which he considers his first taste of IT-related security.

The next decade-plus saw Higgins move through many transitions in public service. Recalling how the DoD was at the forefront of network security at the time, Higgins soon realized that the military might not be on the front lines of a true ‘cyber war’.

He spent his last years at the DoD giving briefings on the insecure nature of its unclassified networks, warning about what was likely on the horizon. “The DoD’s not going to be invited to the next war”, he remembers. “I mean, no offence – why would you attack someone with guns? Go attack the banking system, go attack the transportation system – you could have a far greater impact on the world as we know it without attacking the guys with the guns.”

So the former Army captain began the second act in his professional life during the summer of 1995, when he took a position as VP and division manager at Science Application International Corporation, better known as SAIC. It was the end of a distinguished career in public service, but Higgins foresaw the work yet to come.

“It hurt me to do it”, he says of his decision to leave the DoD. “But it was just time, and I truly believed that the commercial sector needed the expertise that was coming out of the government.”

“It’s funny, [when] you’re in the government, all the government wants to know is what the commercial sector is doing. [Then] you get into the commercial sector and all they want to know is, what’s the government doing? I think at that time it was the perfect launching point for me, that I could get out and have a significant impact.”

Safeguarding ‘All the News that’s Fit to Print’

The first decade of the twenty-first century has been one of upheaval for ‘traditional’ media, a fact that I know all too well. One of the key reasons I wanted to sit down with Higgins was to gain insight into the unique challenges a media company faces in its security program, at a time when the technology and the industry it serves are undergoing profound change.

Higgins acknowledges that the New York Times is part of this revolution, even leading it in certain aspects. He shared some of the key problems this presented to the security team upon his arrival at the company in the autumn of 2009 – How do you apply security within the framework of a transforming industry? How do you build a robust security program that continues the trust of customers who buy print products now into the digital world, ensuring them another trustworthy environment?

"Throwing up standard devices like IDS systems, firewalls, file integrity managers, and anti-malware sensors – those are all well and good, but sometimes they’re like a shotgun, when maybe what you need is a scoped rifle"

The Times elevated the former director of security position, according to Higgins, to the executive level upon his arrival to “consolidate the physical security, IT security, and personnel security programs, and build a robust sympathetic policy base for it.” The CSO at the New York Times is not responsible for personnel or physical security, adds Higgins, but he is responsible for security policy and policy implementation.

Like many others in the world of IT security, Higgins’ role has branded him “the PCI guy” at his company. There are other considerations, nevertheless, that play a big part in the security program at one of America’s most respected news sources.

“The biggest challenge I’ve had is [achieving] balance between security and operational fluidity”, says Higgins. “I can’t build a security program that would be so robust that [reporters] can’t actually write their stories.”

Unlike the world of financial services, where Higgins spent the first part of his private sector career, security at the Times means being an enabler – “no matter where [our staff] are in the world”. The paper’s editors, writers, developers, and other contributors need seamless connection to the company’s networks, to do research, to post stories, and for outreach. All this, Higgins continues, must be done “without the handcuffs of a big security program”.

Security Gameplan

The security program at the paper, nonetheless, is not the Wild West this picture might paint – not if you come back to Higgins’ original viewpoint that security within a media company must be, primarily, an enabler. Otherwise, the outlet’s product would suffer.

Education is key to the overall security gameplan at the New York Times. “I think my biggest challenge, and the biggest program that I’m doing, is an awareness program”, Higgins says. “It’s just bringing them up to speed with what the threats are today.”

It’s no secret that the last decade has been somewhat unkind to the media industry – whether its declining advertising budgets, slashed staffs, rising subscription fees, or the free-for-all that is the internet. All have had their negative impact on the business model of the media’s old guard.

“Like anybody in the media industry, these are financially challenging times. So how do you use your money frugally? How do you apply the best solution that you can put in place that will give you the most flexibility moving forward to the threat that you’re trying to address?”

Higgins believes that the most effective security programs are the ones that fully understand the threats they are fighting against. This, says the Times’ CSO, can include both the most robust (read: expensive) devices on the market, down to freeware products. The key, he continues, is matching the proper threat with the appropriate response. “Throwing up standard devices like IDS systems, firewalls, file integrity managers, and anti-malware sensors – those are all well and good, but sometimes they’re like a shotgun, when maybe what you need is a scoped rifle.”

The Right Tools for the Job

Selecting the appropriate technology for a particular job may not be an exact science, but it’s easier than some would expect, says Higgins. “There are the big brand companies out there that would like you to spend a couple of million dollars on their solution that’ll enter everything under the sun, and probably cut your toenails at the same time. But the bottom line is, there’s a lot of cutting-edge technology that has been developed by small companies that still have aggressive price points to get into the business, and are offering great solutions with different products.”

It is these novel solutions that Higgins seeks out, while also remaining a customer of some of the largest security firms. To him, it’s about the right product, for the right solution, and the right price. They are the considerations that any sustainable business must weigh, and so too must those who are responsible for security purchases. “The bottom line”, he concludes, “is where am I going to get the most flexibility not only for the threat today, but the one I am anticipating coming tomorrow?”

The former Army officer is also keen to apply his military training at his current job. Although I don’t get the impression that Higgins is a drill sergeant-type disciplinarian (his easygoing demeanor suggests the opposite), there are definite military strategies being applied here in the private sector.

"The biggest challenge I’ve had is [achieving] balance between security and operational fluidity. I can’t build a security program that would be so robust that [reporters] can’t actually write their stories"

I query Higgins on his thoughts about the ‘defense in depth’ gospel preached by so many in the security industry, seeking his explanation for why this is so important. He replied with some history lessons, recalling the miserable failures demonstrated by the Great Wall of China or the Maginot Line.

“The one thing [the military] taught me well was defense in depth – its not just one single line of defense, its multiple layers of it, and it’s fallback positions, so if this fails, you go on to the next one.” While Higgins had trouble citing any particular mistake he would prefer to revisit, he does add that his military training demonstrated that “flexibility is the name of the game”, both in the military and in security. “Every stupid decision in life gives you the opportunity to make another decision. Even if you make the wrong one, turn around and make the right one.”

Protecting Your Public Face

Higgins proudly conveys that, at the New York Times, he always has the ears of the executive team regarding the company’s security program. As he reiterates, trust is the keystone of the media corporation’s brand, and he is always able to get an audience with the company’s board whenever an issue needs to be raised.

“It starts at the very top”, Higgins reveals, “down through the CFO, the general council – everybody understands how important security is, and how important this relationship with the customer base is. Since I’ve been there, it’s been 100% support, not only at the executive level, but also within the board level.”

As one of the most visited news websites the world over, the New York Times management must view security not as a business obstacle but as a necessity. The Times website, as Higgins confirms, is the “public face” of his organization. This being the case, he assures me that the company has a “very aggressive program to protect that public face.”

It’s not just reporters’contacts, PCI data, or proprietary information that his security program must consider. Perhaps, most important, is the security of the paper’s website.

“When you connect to the New York Times websites, you’re not going to be infected with a virus. That’s my commitment, that’s where we stand”, Higgins promises. “We are very aggressive at protecting our image and protecting our brand, and making sure that the trust relationship starts with the very internet connection that you make to our environment, that you’re not going to be a victim, just because you’ve connected to us.”

I redirect, and ask Higgins if the paper’s reputation, not just editorially speaking, but speaking in a security sense, is its lifeblood.

His response is a resounding affirmation. “People trust the New York Times to give you an independent view of the news, and I believe that starts with the very connection that you have with us, and anything that interferes with that trust relationship.” After all, a violation of that trust can irreparably damage his company’s brand.

"I think that is our number one concern going forward, to establish and keep that trust and keep that relationship with the customer.”

I’ve often heard industry experts extol the merits of taking the time to understand an organization’s business goals to develop effective security programs that promote operational flexibility while addressing risk exposure. In this vein, think of Mike Higgins as the Mr. Goodwrench of security – someone who understands the value of a good alignment.

What’s Hot on Infosecurity Magazine?