It is rare to have the chance to pick the brains of so many security experts at one time, but that is just what happened in our latest webinar, Join the (Re)evolution of Security: Make Security Part of Your Business Vernacular. We were lucky to have Anvilogic webinar alum Lucas Moody, head of security technology at Twitter at the helm. With him on the panel was Mark Eggleston, CISO at CSC, Enoch Long, Senior Director Security Operations at Regeneron, and Ashwin Ballal, EVP and CIO at Medallia - together their security and business knowledge is unsurpassed.
Understanding what security today means for your business
A recurring topic throughout the discussion was how security continues to make its way into the forefront of strategies for organizations and if it isn’t top of mind for you, it is a must. Moody put it best when he said, “CISOs are now making their way further and further up in organizations. This is leading to a situation where, now we have sometimes, CISOs report into general counsel or direct to the CEO or to the CFO.” Beyond titles and just getting a seat at the table, it is important to understand how CISOs can help other C-level executives understand the ever-expanding security landscape and what that new information being given to them truly means for the business.
Eggleston's thoughtful response helped to describe how historically security has been seen as more “technology than business.” He went on to mention how security and those presenting it can be a great resource. The panel agreed and gave some tips when talking about stakeholders and security. The first step to best enabling your organization to make security part of the business is forming relationships with key business stakeholders and board members. Second, make sure to partner across the business to understand what the stakeholders are looking to get out of security, and use these relationships and understandings to show where security can add value every day at the business level. Ballal also mentioned speaking in the vernacular of the board/stakeholders and aligning to their understanding and needs can go a long way - and it can become a win-win, all around.
Diversification in Security can lead to team satisfaction and business success
The conversation about how to increase the understanding and importance of security at the executive level led the panel to discuss the need to have the right people in play for these relationships to succeed. Each agreed there is a difficulty in not only acquiring but keeping security talent these days. Long added one important focus for growing teams that can last is through diversification, “not only from a skills perspective, I think personality-wise is very important, and how you build a team from different backgrounds with the common mission.” The panel agreed, bringing in different backgrounds of not only thought but also title diversification, as in Eggleston’s case, will continue to enhance security talent within your team.
This kind of diversification extends to how you build your security practice from a tools and security operations perspective. It always goes back to people, processes, and technology. If you have a diverse team thinking of things from different angles, you should then also have a strategy and methodology that lends itself to the different tools that can help your team instead of causing more pain. When you can begin to look at everything from a diversification standpoint you can see how the pieces of security operations can come together to focus on what matters most. Keeping the people engaged and not spending time spinning in alert chaos but giving meaningful projects. Having the technology that does its job and alleviates pain points. You will be able to set up processes and find areas to automate, ultimately leading your security operations to increase efficiency and efficacy, job satisfaction, so the team can focus on what matters - reducing overall risk.
Walking with the Board on the Security Journey This brought the panel back full circle to how to speak to the board and stakeholders and the best way to present digestible information about vulnerabilities and crisis management and provide them with a good level of risk management assurance. Eggleston mentioned he once had a colleague tell him, “CISOs do not own risk, CISOs manage risk. We’re there to shine the light on the threats, shine the light on the controls, even if it’s just compensating controls. But at the end of the day, it’s the CEO and the board that owns the risk, not the CISO.” Moody agreed and feels that is the area security leaders need to evolve their thinking around. He went on to say it is their role, as security experts, to help the business understand the security journey and be with the boards and stakeholders to make it through.
The idea of security within the business has changed a great deal over the past few years. The structure and placement of the security expert have also changed and will continue to change as businesses, and security needs evolve. Discussions like this are going to help companies and stakeholders better understand how they should leverage their CISOs and security teams for their current and future security needs. We were so privileged to have Lucas Moody back for another webinar, and with the addition of the diverse expertise of Long, Eggleston, and Ballal to the panel, our hope is this webinar will help others see where they can add diversity and alignment with their CISOs and current security needs.