Six months ago, we hosted a webinar focused on big ideas and strategies for security leaders going into 2021. Our expert panelists for “CISOs Talk Shop” included Thomas Davis, CISO at Terminix (ServiceMaster), Pat Benoit, VP, Global Cyber GRC/BISO at CBRE, and Jonathan Hay, CISO at Cadence Bank.
Considering the webinar’s popularity and the significant happenings in the security industry, we decided to do a follow-up conversation. We invited our same group of speakers back for another round of talking shop—here’s a summary of the most important points and takeaways from their discussion.
- A Quick Look Back at CISOs Talk Shop, Part 1
- What’s the Next “New Normal” for Security Leaders?
- Governance vs. Security
- 6 Strategies For Bridging Info Security and Business Innovation
Here are their 10 best pieces of advice:
A Quick Look Back at CISOs Talk Shop, Part 1
Our panelists gave listeners a synopsis of their biggest piece of advice from the previous webinar. (You can also read the full recap here.)
Pat Benoit: Focus on the basics instead of shiny objects.
“We spend far too much time stylizing and getting fancy, whether it be with technology or process, before we really understand what needs to happen. Take that step back and look at the basics: asset management, process, process review, and risk management documentation. Make a business decision about a process before you start throwing technology at it.”
Thomas Davis: Always have a strategy.
“It’s really about not being reactive to the business or the issues of the day. Have a strategy, have a plan, and understand what you're executing against.”
Jonathan Hay: Extreme agility.
“Have the agility in place for teams to be able to respond to new products and service requirements from the organization; face new, emerging threats in the environment; and keep up with rapidly changing technology.”
What’s the Next “New Normal” for Security Leaders?
In the months that have passed since the first “CISOs Talk Shop” webinar, there has been some material changes in the arena where our speakers’ expertise lies. From ransomware to data breaches, cybersecurity and data security continue to make headline news. Keeping those industry changes in mind, here’s what our speakers think will be the next new normal for security leaders.
- Reporting On and Translating Current Events
Since 2016, over 4,000 ransomware attacks have happened daily in the U.S. The COVID-19 global pandemic has only added fuel to the fire—hackers have capitalized on the remote workforce and escalated attacks on corporate systems. Both the frequency and scale of attacks are increasing exponentially. For example, malicious emails are up 600% due to COVID-19 and the largest ransomware payout was made in 2021 by an insurance company at $40 million.
“More than ever, security leaders need to stay up to speed on the news because they’re going to be asked questions about it,” says Davis. “You have to be prepared to talk about the T-Mobile or Colonial Pipeline hack, or anything that’s happening in the industry and in the news, and then be able to translate highly technical things into business knowledge and business acumen.”
- Evolving Your Language (But Not Necessarily Your Process)
More press coverage and public awareness means security leaders will need better ways to communicate with executive teams and other stakeholders who care a lot about mitigating risk, but don't really understand what that means.
“Ransomware is just another exploit,” says Benoit. “Your incident response should look very similar. Your monitoring should look very similar. Your recovery process might be a little different, but not that different. But your documentation may have to change to reflect new language because The Wall Street Journal and Forbes published articles about ransomware and it’s the shiny object on the board. Whether it changes the process significantly or not depends on the threat.”
“One of the things we did to improve communication with stakeholders,” Davis continued, “was break it down to the layers of assets that we're trying to protect: our data, our networks, our people, and our applications. And then we explained the associated risks at those various layers, and the controls that we can apply to mitigate those risks.”
- Living In a Hybrid World
Security leaders are faced with a hybrid responsibility, from two perspectives. Not only do they need to mitigate risks in both legacy and cloud environments, but now also have the added complexity to protecting a blended in-office and remote workforce.
Davis says, “We're living in this hybrid world where you’ll have incidents on your legacy environment and in the cloud. You really need tools, people, and processes to handle those incidents in both environments.”
- Increasing Supply Chain Attacks
Bad guys are in the business of making money and hackers have seen a huge increase in ROI in recent years. Security leaders need to expect attacks to get more aggressive and more sophisticated.
“I think part of our new normal in information security is the increased supply chain attacks,” comments Hay. “We’ve seen a few highly successful ones over the past few months and it’s going to get worse, as far as integration of ransomware threats into supply chain attacks.
“Supply chain attacks will get more sophisticated, and there will be other variants of ransomware attacks that will be highly effective against security controls, utilizing machine learning capabilities to sidestep detection. Approaching security from a pure ‘just keep the bad guys out’ standpoint, either at the perimeter or in cloud environments, isn’t good enough anymore. We have to bolster defenses utilizing a defense in-depth approach.”
- Increasing Regulatory Pressure
More and better attacks, plus more press coverage…equals more oversight. Security leaders should expect more regulations in the near future.
Hays continues, “[Because of recent events like the Colonial Pipeline], more people are paying attention and the SEC is getting extremely interested in cybersecurity events at publicly traded companies. The regulatory pressure is going to get even more excruciating.”
Governance vs. Security
Conversing about risk mitigation, our speakers went into their philosophies about governance versus security—or rather, process versus tooling.
Jonathan Hay:
“We approach things like vulnerability and patch management from a governance perspective first. We first do a process maturity assessment and risk assessment to determine the gaps we have in processes, as well as document those processes.
We tie our findings to service ownership and the level of maturity our CIO desires for the services that are delivered to the organization. And then we do a gap analysis, determining where we are now and what it takes to get to the desired service maturity levels. And finally, we backstop with solutions that fulfill any of the technology gaps.
But ultimately, the best and shiniest, top-quadrant technical solutions won’t help if you don’t have the people to support those solutions. If you have inadequate staff or inadequately trained staff, then the technology is worthless.”
Thomas Davis:
“I look at everything from a risk-based perspective. We determine the risk, the threats coming at us, our vulnerabilities, and where we stand. From there, we apply our controls to that determination to get our residual risk—what we’re left with, if you will.
Then, we think about the end game. What are we trying to solve? What are we trying to mitigate? And finally, we apply process and tooling. To echo Jonathan, the most important aspect is training your people. You can have the best tools in the world, but if you don’t have great people who are trained appropriately, it will get difficult pretty quick.”
Pat Benoit:
“The idea of risk management is obviously critical. We’ve purposely gotten rid of the term data governance in favor of data risk governance, because it’s really all about the risks to our data. Data is our lifeblood; it’s the oil that that runs the engine. Whether it’s the data you’re processing for clients or your own data, it’s the difference-maker for any organization.
When an enterprise experiences some sort of attack from the outside, there's generally not a requirement to notify if they didn't get any data. That tells you something about the importance of data and the risks to your data to begin with. Data is what matters.”
6 Strategies For Bridging Info Security and Business Innovation
- Make Security a Team Effort
Thomas Davis: “Security is everyone's job. We used to think security was the job of the team in the corner, behind the stairs. But now, everyone's being phished. Hackers are compromising business e-mails and attacking vendors, and board members are also personally liable for a breach. Everyone has to be involved and be part of the solution now.”
- Get Executive Buy In
Jonathan Hay: “It’s important to have buy in from the senior executive team; to have a seat at the table when they start talking about new products and services. Because then you’re able to have the conversations regarding potential security issues or vulnerabilities introduced into the environment, or new risk management compliance requirements based on those new products and services, from the outset. You’ll have the opportunity to articulate the inherent risk of new products and services, and even other investments or resources that are needed to help protect those new products and services.”
- Build Relationships and Trust
Pat Benoit: “Ultimately, it’s a relationship issue. There has to be a foundational relationship with your leadership team and stakeholders, and that’s often not built based on the technical reports you create or information you provide at meetings.
And those relationships are built when you demonstrate that it’s about the business first and how you mitigate the risks to the business. It’s never about being a blocker. It’s always about security bringing solutions that allows business leaders to do what they need to do to successfully execute.”
Thomas Davis: “If the stakeholders trust that you’re going to enable them to do things, the business can move really fast and won’t have to slow down for security to catch up.”
Jonathan Hay: “Build your brand, not as an individual, but as information security in general in your organization. InfoSec should never be the department of “no,” it should be the department of K-N-O-W. And that includes changing the narrative that InfoSec is a cost center. We don't generate revenue, but we are part of the value stream that our products and services deliver. So, view yourself as a value center instead of a cost center. That change in perspective is a little thing, but goes a long way toward emphasizing that InfoSec provides value and is a partner to the business.”
- Shift Left
Thomas Davis: “You can't be reactive; you've got to be proactive and shift left. Security starts as far left as the processes around developing code and deploying code to production. Train developers on secure coding techniques so you can scale securely, early on.”
Pat Benoit: “Especially if you're in a B2B scenario, you have the opportunity to be part of the sales pursuit team or part of the account management team; to actively stand in front of clients and customers so that they see that your organization leads with security and technology.”
- Change the Narrative From Cost to Value
Jonathan Hay: “While security doesn’t generate revenue, demonstrate that you view yourself as a value center instead of a cost center. It’s a small thing, but it changes the perspective. Changing that narrative goes a long way toward emphasizing that you are a partner and part of the value that technology is delivering overall to the business.”
Pat Benoit: “To paraphrase another CISO, technology and security is not part of the business—we are the business. There are very few companies that could exist today at all without technology and security. So, we should stop framing ourselves as supporters and start framing ourselves as the business. We are the business.”
Thomas Davis: “If your security team is forward thinking, it’s a competitive advantage. They will be trying to enable the cloud, trying to enable applications like Salesforce, and doing things in a way that makes sense for the business.”
Whether your role is InfoSec or IT, applications or auditing, you can benefit from the words of wisdom shared by our speakers on this webinar, as well as from solutions like Own Secure. We make it easy to implement, manage, and prove security controls on Salesforce, keeping your data secure in the most dynamic and complex environments.
