Profile: Robert Keefer, CISO, Pew Charitable Trusts

Robert was featured in the December 2024 Feats of Strength magazine. 

Robert Keefer’s career in IT and security spans over 20 years, with a keen focus on helping organizations achieve success by continually increasing trust and comprehensively improving security programs.  Not only has Robert held many notable jobs across security functions, but he was a Cybersecurity Adjunct Instructor at the University of Michigan, has co-authored a book, and advised the Michigan Department of Health and Human Services on policy and procedure to secure the privacy of behavioral health patients. 

Robert’s previous experience includes Senior Security Analyst at Eastern Michigan University, Lead Security Architect at Health Alliance Plan, Information Security Program Manager at Harman International, then moving into CISO roles at Tweddle Group and his current organization as Associate Director, Security Operations at The Pew Charitable Trusts. 

Robert has worked at The Pew Charitable Trusts for over four years, and shares, “Pew is a data focused nonprofit that focuses on research and programs that bring measurable results, which I really like. I’m very excited by the work that we do, and I currently lead a team of absolute experts in the field that are a delight to work with. They make me proud every single day of the work that we do. We work across the gamut, we take inputs from the SOC, we respond to incidents, we do preventative work, and we do consultative work both with IT and with the organization as a whole to ensure that they’re being secure. We work with just about everything that might relate to information security and my team is absolutely fantastic at it.”

EFFECTIVELY COMMUNICATING THE VALUE OF SECURITY 

Robert views his role as one that requires strong communication. He explains, “My role as a leader is to communicate the value of security across the organization to various teams and to communicate the work that my team is doing to keep them safe and our data safe. Because it’s not just about the people who work at Pew, it’s also all of the people who trust us with their data. There’s a lot of what the business will call reputational risk, but it’s really trust in a very human way. And my job is to communicate the value of the work that we do to ensure that that happens.”

He says he accomplishes this level of communication in a few different ways, with a heavy focus on face-to-face work, meeting with his executive peers across the organization, as well as participating or working with multiple committees. Not only is it important to meet with many executive peers, but ensuring the conversations are beneficial bidirectionally, both walking away with a clear understanding of the other’s priorities. Having a strong relationship with the CIO is also important to Robert, and he believes all CISOs should work closely to ensure the CIO becomes a champion for the security program. 

CLEARING ROADBLOCKS AND ENSURING SUCCESS

Robert’s responsibilities include cyber security, IT risk and IT vendor risk with additional ties to collaboration with the legal team on data privacy. His role is to establish a vision for the program, hire people who can help him accomplish that vision, and then put trust in them to help him build and roadmap out the program. Overall, he says his job in a nutshell is to ensure his teams success. 

He continues, “I clear away roadblocks for my team, I meet with them to ensure that they’re making progress, help provide direction if they’re stuck, answer questions if they have them, if there’s a challenge that they’re having with a team or a person or a technology, I’m there to help them with that. If other people are having a challenge with them, I’m here to help with that as well. I don’t avoid hard conversations, but I do avoid seeking blame. I prefer to look for solutions when a problem comes up rather than blaming people.”

FOCUS ON MATURING THE SECURITY PROGRAM

Robert and his team are currently focused on maturing their automation capabilities by automating their security response and potentially streamlining routine analytic work. The goal is to speed up the response time and reduce the time between detection and resolution. Much of this work involves scripting what they can script, but also taking areas of work such as vulnerability management or data management, and finding ways to automate so his team has the bandwidth necessary to react and respond in a proper fashion. 

Evaluating their current tools is another area of focus, to ensure they still align with where they are headed as a team in terms of roadmap goals. Robert says, “We are working to make sure that the technologies we have invested in still align well with our current team and program goals and where Pew is headed as an organization.”

Another program focus is around data identification and protection. Robert explains, “Our privacy program is relatively new from a formal standpoint. We’ve always looked at privacy, but the kind of concentration on a formal framework and a formal approach is fairly new for us. And one of the things that we’re learning is that there’s a lot of it out there. There’s a lot of data out there.” He says they want to be able to help the organization become more agile, with security helping to free up the employees to safely and appropriately share data with external partners. They are currently looking at tools to help identity where their data is and what it is sensitive to, so they can automatically apply rules to it. That way, if an employee wants to share data with a partner, they don’t have to think about contacting security first. 

Continuing on the topic of data governance, Robert says the goal is that if an employee is doing something of high risk, they have tools in place automatically stop them from doing so. It will not only help them out from a speed perspective, but it will do so without sacrificing security. He comments, “The question then becomes how can we become better partners to the organization rather than merely being Internet cops? And, I think one of the ways that we do that is by focusing on data governance as a business enabler rather than a limiter. How do we make it easier for our people to do their jobs without having to worry about whether or not they’re doing the right thing?”

GROWING AS A LEADER 

To ensure he continues to grow and learn, Robert says he is an avid reader, and enjoys staying up to date on leadership books, whether it’s referencing something he has already read or reading a newly released book. He is also part of many organizations and professional groups such as ISC2 and ISSA. He gains a lot of value interacting with peers because of the frank nature of the conversations that take place, with genuine collaboration and discussion around challenges. He explains, “Sometimes sharing what I’ve been doing, is as valuable as learning what other people have been doing. Because it can help solidify in my mind the reasoning behind an approach, help me draw out some conclusions that maybe I hadn’t thought of before because I’m talking them out with somebody else or just because I’m having the opportunity to think about them again in a different way. So that’s always very useful and being able to come away from those full of different ideas that I can now sit and process. I find that incredibly valuable.”