Interview: Unisys' Patricia Titus

From the Minnesota prairie to the nation's capital, and many points in between. That's just part of the story of Patricia Titus, global CISO of Unisys
From the Minnesota prairie to the nation's capital, and many points in between. That's just part of the story of Patricia Titus, global CISO of Unisys
Patricia Titus, Unisys
Patricia Titus, Unisys

Unisys is a long way from its origins as a manufacturer of typewriters. The same could be said for the company’s current global chief information security officer (CISO), Patricia Titus.

Starting in Minnesota and ending at Unisys’ offices in Reston, Virginia, her path from Air Force enlistee to vice president and global CISO of Unisys has included experiences in places that most people only dream about. The chapters in the life of this executive and mother of two form a volume that details the complete CISO – a person with an uncanny balance of technical, business, and interpersonal skills.

No Degree, No Problem

Patricia Titus grew up on what she called a “hobby farm” in Stillwater, a small eastern Minnesota town on the St. Croix river, near the border of Wisconsin. Out on the Minnesota prairie? Yes, but still close enough to the Twin Cities of Minneapolis and St. Paul. Titus, however, is no Laura Ingalls. I mean, could Laura Ingalls tune up her own car and type 80 words a minute?

So this self-proclaimed Minnesota Vikings fan is handy with tools and with livestock, but Titus chuckles over the fact that she went to business school briefly, where she trained to be a secretary. “At a time when we were called secretaries”, she says jokingly. Titus made clear that she grew up in an environment that allowed her to be an independent woman, where she was “pushed to think outside the box” by her late father. Reflecting on this, Titus believes it likely lead to her history of taking on career roles normally occupied by men.

The highly accomplished person across the desk from me was about to reveal her first regret, of which there were only a few. You see, Patricia Titus, former CISO of the US Transportation Security Administration (TSA), did not finish college. No degree in physics, or in business, or computer science for that matter. Yet, it hardly seems to have held her back.

“It’s something that I talk to a lot of college students about, the fact that college is so critical”, Titus says. She adds that, regardless of her accomplishments thus far, the lack of a degree has given rise to some roadblocks. Titus believes a college degree is imperative in today’s world, but doubts she will ever return to school. Besides, her colleagues with advanced degrees say her experience is all the education she will ever need.

Titus left Minnesota at the age of 19 – or as she describes it, “escaped” from Minnesota by “running away from home and joining the Air Force. When I was a kid, I kept telling everybody I really just wanted to travel the world”, Titus shares. “That was my objective: to find a job where I could travel.” As it turns out, the United States Air Force was happy to oblige.

Basic training took Titus to Texas, where she aced the Morse code test. Then it was on to Mississippi for tech school after she was given an assignment as a Morse code operator, something very few women did for the military at that time. “I really just wanted to go in Open Administrative and be a secretary, but fate had a different path for me to take”, Titus recalls.

Then the Air Force granted the childhood wish of a young Titus, and shipped the former farm girl off to Misawa, Japan, for three years during the early 1980s.

Titus left the military, and Japan, not too long after the birth of her first child. Next stop for Titus and family was Jeddah in Saudi Arabia, where she would continue to serve her country – this time as a civilian.

Strong Women

The people skills that now serve Titus so well as CISO of Unisys were being honed in the Middle East from 1984–86, where she took a position as a liaison officer in Saudi Arabia for the US State Department. 

“The women there are actually very strong, whereas I think that the perception from Western culture is that women are suppressed, which is really not the case.” You have to understand the culture you are working within, Titus adds, and where the differences lie when compared to what you know.

With experiences like these, and having been encouraged to explore opportunities outside of what were typically thought of as gender-specific, Titus expresses a sense of duty to carry an illuminative torch for a new generation of women in the IT and infosec career paths.

“I think women in IT need to help mentor other women in IT”, she explains. So I responded by asking Titus why, in her opinion, we don’t see more women in the IT field?

“I have a theory – the IT and IT security industries are very risk-driven jobs, and women have a tendency to be risk-averse. But I think women in general stick to traditional positions; however, I think it’s changing.”

Out of Africa

After Saudi Arabia, Titus moved on to Frankfurt at the time the Berlin Wall fell. Following Germany it was off to Africa for stints in Zambia, Zimbabwe, and South Africa with more diplomatic work, this time for Switzerland. It was then back to the US for Titus and her family. She bounced from role to role in the banking sector, which she says, “really wasn’t for me”.

So it was during the 1990s dotcom boom that Titus first got involved in commercial IT. She took a position in sales with Aspect Systems, a manufacturer of NFS file servers. It was while at Aspect that Titus was encouraged to learn Unix programming, thus beginning her on-the-job technical training.

After about five years at Aspect, she decided to take a position at Technica, where she absorbed the inner workings of local area networks (LANs).

Titus took advantage of any free technology class she could during her first two stops in the IT sector. “It was really at Technica that the light kind of clicked about how technology really integrated”, she muses. “That’s really where I picked up on the security side of things.”

"You have to be able to relate a vulnerability into a business risk, and you have to turn that into dollars"

In the early 2000s, after a few years with Technica, Titus was approached about moving over to the public sector, this time for an opportunity with the US Treasury Department. Her first role was working on the department’s security certification and accreditation.

“I wasn’t really sure that the government was ready for an aggressive, loud-mouthed woman”, Titus says only half-jokingly, adding that government, to her, “seemed slow and red-tapish”. This former world traveler asked herself before making the plunge: “Would I go insane?”

The answer was a resounding no, as Titus came to Treasury at the time when the government was starting to adopt IT compliance standards. She advocated for more cutting-edge approaches to IT security and management.

Ten Years After

Back at Treasury, Titus recalls playing around with some (at the time) old Motorola P935 flip two-way pagers and figuring out a way to load VPN software onto the units. “This was back in the early 2000s”, she reminds me, “so this was hugely cool”. This was significant because it allowed Treasury Department personnel to have encrypted two-way pagers, something that would come in very handy shortly thereafter. You see, the day I sat down to speak with Titus fell just three days before the tenth anniversary of the 9/11 terrorist attacks, so this anecdote was about to become relevant – and quickly.

A combined technical background and experience with terrorism training meant that Titus was activated as ‘critical staff’ during the immediate aftermath of the terror attacks. With normal DES-encrypted assets cut off following the attacks, Titus proposed using the encrypted two-way pagers as a temporary solution to get Treasury’s critical personnel – including the Secret Service – back up and running with at least some level of security in the event that communications were being monitored.

Then Titus described the scene in Washington the day of the terror attacks: “There wasn’t a soul on the streets – not a soul, which is impossible in Washington DC. Here I am, walking out with a couple of other guys, and I’m carrying an STU-III, a classified telephone in a box. I have a radio clipped to the back of my skirt underneath my jacket, and I have a couple of boxes of these two-way pagers with me. We’re walking, and at every checkpoint we got stopped, because I probably looked like I had an Uzi down my coat. I have a hard case suitcase that could have contained lord-knows anything, and I’m walking with two shady-looking characters.”

Shady-looking characters aside, what was primarily an intellectual curiosity on Titus’ part turned into a viable business continuity solution, something she clearly takes pride in.

A New Frontier

After taking on an assignment to support the 2002 Winter Olympics, Titus was ready for her next and perhaps most demanding role as the first-ever CISO of the fledgling Transportation Security Administration (TSA). Titus says she was eager to remain in public service and join the TSA, so I asked her why exactly. “Because I’m a patriot”, she says without hesitation.

High pressure and high reward is how Titus describes her time as CISO of the TSA. It meant long hours, tons of indigestion, but a measure of self-fulfillment in that what she was doing was making a difference for her country. “I really left TSA because I thought there was an opportunity to take everything that we did so well at TSA in IT security, and take it to a major corporation”, she says. “So it was a bit of a struggle on where to go, but being one of the first CISOs in the federal government, I had a few opportunities.”

Titus would finally settle on an offer to be the CISO of Unisys Federal Systems, the very arm of the company that provided all of the outsourced IT services for the TSA during her tenure.

A Day in the Life

“There’s no such thing as an average day”, Titus replies when I pose a question about the typical day as CISO of Unisys. She does receive a daily threat report, but most days are unpredictable and can include anything from contract reviews, meetings with the security staff, or speaking at a conference.

Getting an audience with upper management is no problem for Titus either, who says she maintains a “great working relationship” with the team.

Titus says she spends about 60% of her day dealing with internal infosec issues, with the remaining time spent addressing client concerns. “The nice thing about being a CISO is that we don’t really sell anything, but we are great at sharing information.”

Even though security services is one of Unisys’ core areas of focus, Titus tells me that her company still faces the same challenges any organization does when it comes to consumer devices in the workplace. Yet, Titus saw this not as a problem, per se, but as an opportunity. It all started one day when she walked into a meeting and saw her colleagues brandishing iPads.

“When I talked to our CIO, I told him we have folks that need to have these capabilities for a lot of business reasons”, Titus relays. “Frankly, if we can address the desire to use consumer technologies, we’ve got a double story here where we can use it in the company, address our own employees’ needs, and then look at it from the outside – it [became] a great opportunity for us to create a portfolio offering.”

So Unisys rolled out its own secure mobility program in-house to test drive it before integrating parts of it as a solution for its customers.

“As you’re transforming your data center, you want to be able to address: ‘What type of data do I have in the data center?’ ” At Unisys, Titus borrowed from NIST’s federal processing standard, and categorized data into assurance models: low, moderate and high.

Unisys will take its data categorized as ‘low’ and push it into the cloud, Titus shares, and data valued as ‘high’ will be placed into a controlled environment, with many levels of security and authentication. The data valued as ‘medium’ will be assessed on a case-by-case basis, with more critical data ending up in a private cloud.

“So the flexibility which we had at TSA really lent itself well in a corporate environment, where you have to make decisions not just based on security, but based on operational necessity, and you have a different risk tolerance level”, Titus says. “You want to be, as a security professional, risk averse, but it doesn’t play well in a consumerized world where people demand data anywhere, any time, on any device.”

Furthermore, Titus contends, most organizations spend lots of money on things like firewalls, IPS/IDS sensors, and SEIMs, which she believes are losing their value in today’s environment. “We probably need to re-think our strategies for data”, she asserts. “Technology”, she says, in many cases, “is not the first, best option”.

Then Titus addresses what she feels is a myth regarding cosumerization: “The thing I caution people on is that consumerization of IT does not necessarily equate to cost savings”. If you let everyone bring their own device into the corporate environment, she adds, then your help desk calls will naturally increase. Plus there is the added cost of having to re-educate your employees on updated policies and procedures. Pile on top of this the uncharted legal territory of what happens when an incident occurs on a personal device.

I close our conversation by asking Titus if her experiences before Unisys – both technical and non-technical – helped her become a better-rounded CISO today. She very much agrees with this assessment: “I think people that are in technical roles have a tendency to be real technical when they speak and can’t turn things into layman’s terms. They can’t equate a problem, like vulnerability or a risk, into a business risk. You have to be able to relate vulnerability into a business risk, and you have to turn that into dollars.”

What’s hot on Infosecurity Magazine?