CSO Executive Sessions

After a nearly 21-year career in the FBI, Roberts joined Bristol Myers Squibb in April, 2020, and has spent the past 7 months navigating the pandemic impact on the pharmaceutical giant. For BMS, like many organizations, the rapid shift to wide-scale work from home brought some unique challenges. "We're putting a lot more resources into protecting our systems, our information, and a lot more resources into educating our employees that maybe didn't have to worry about securing information themselves," Roberts says. "Our adversaries, not just nation-states, but also criminal organizations are very active ... and relentless." This is, of course, not unique to the pharmaceutical industry, but it is why there needs to be a constant focus on educating the workforce and reinforcing protections, says Roberts.

In addition to being the largest fast food restaurant in the world, McDonald's is also one of the world's largest employers, real estate companies, and toy companies, thanks to the Happy Meal. It has also been transitioning into a tech company over the past several years, introducing a mobile app, kiosk systems, and digital menu boards, and investing in a data analytics company, a mobile tech company, and a voice analytics company. For CISO Tim Youngblood that means driving a framework for understanding and managing risk, and building a risk-aware culture at the fast food giant. Tune in to learn how he approaches risk management and how he believes the pandemic changed the security landscape.

Over the past decade, CSOs have had significantly more interaction with their boards of directors, becoming critical partners and driving risk management in many organizations. And cybersecurity, information security and privacy have become key topics of board meetings today, says Mark Weatherford, chief strategy officer at the National Cyber Security Center. Why the shift? "Just a few years ago... information security was background noise [to the board]. Now it's right in their face," he says.   Still, a board's time is limited and CSOs need to make the most of their time in front of the board. In this podcast episode, Weatherford shares his six guidelines for building board relationships, starting with inspiring confidence, which he says is the single most important thing a CSO can do.

After 10 years as CSO of payroll and HR solutions provider ADP, Roland Cloutier was looking for a challenge. He found one in his new role as Global CSO at TikTok, the fast-growing social media startup that has found itself in the news over privacy concerns. For Cloutier, who joined TikTok in April, dispelling disinformation and being transparent about how user data is protected quickly become job number one. In this interview, he calls on the security industry to take on a shared responsibility for transparency, to have the conversations and hold each other accountable.

In this second half, Akamai CISO Andy Ellis and host Bob Bragdon continue their talk about the good guy/bad guy dynamic in the infosec community and why it can result in you being marginalized in your organization. Ellis’ advice: Don’t try to be the hero; be the sidekick. Produced by IDG Communications, Inc.

There is a prevailing attitude in the infosec community that security pros are the good guys and the bad guys are, well, just about everyone else — users, developers, senior leadership. This good guy/bad guy dynamic can result in you being marginalized in your organization, says Akamai CISO Andy Ellis. His advice: Don’t try to be the hero; be the sidekick. Produced by IDG Communications, Inc.

Balancing security and business needs is challenging in the best of times, but in the midst of a global pandemic it takes on new urgency. For Gary Gooden, CISO at Seattle Children’s, this means protecting patient data while enabling frontline workers to service patients and families using new collaboration tools. Also pushed to the front burner for Gooden and his team are issues with remote work, as all non-essential staff (40% of the workforce and including Gooden himself) is now remote.

The biggest risk from the scramble to move to remote work at scale will likely be an increase in data exposed from misconfigured cloud storage buckets, says Christopher Burgess, a writer and speaker on security issues and former senior security adviser to Cisco. “You can choke a horse on the number of AWS storage regimes that have been misconfigured to allow the general public into data. Pick an industry and they’ve been affected by it.” But Burgess sees a silver lining outcome from the current crisis: “I think we’re going to also see a great deal of clever innovation on dumbing down the security infrastructure so that it can actually be understood.”

We can all remember a time not so long ago when security was the department of no. “We have moved past that to ‘yes, but,’" says Mike Towers, CSO at Takeda Pharmaceuticals International. For Towers, getting to a place where it is easy for the business to do the secure thing has meant placing a strong focus on business leadership and regular conversations about risks. The end result: Security can be built in from the beginning. “From a security perspective that’s a pretty big challenge,” says Towers. As for where the security industry could be doing a better job: “I think the biggest risk to security right now is arrogance,” says Towers. “And now we’re almost pushing ourselves away from the business because there’s a mentality of spending without understanding the true business value.”

For Chad Teat, CISO of Atlanta-based specialty retailer Floor & Decor, the secret to balancing risk and business opportunity comes down to reducing friction with the business. To do that, Teat says, the CISO, engineers, and analysts all need to make it their day-to-day job to build relationships and influence with the business. “I think every security professional has been a part of highly complex projects that succeeded because everybody was rowing in the same direction. And we’ve also been a part of short puts that fail miserably because of internal squabbles.” As for where security could be doing a better job, Teat points to risk quantification and communication. “We’ve got to be speaking the same language as the rest of the business and right now in the industry a lot of times we’re not even speaking the same language as IT.”

"We're [CSOs] all focused on this balance of being able to reduce risk while enabling the business," says Lionbridge CSO & CPO Doug Graham. But, he adds, "There's no real hard-and-fast rules about how much risk and what that recipe is." For Graham, the most concerning part about the CSO role isn't that there aren't any hard-and-fast rules about the right recipe for risk; instead, it's "making sure you've presented all the options and you haven't missed something…. Am I presenting the balance right to the rest of the leadership team so we that can make sensible decisions that are right for the company?" As for how Graham makes sure he's getting the most out of his security technology investment, "it's a case of defining our controls, measuring their coverage, and measuring their effectiveness," he says. "And I think that gives you two very simple metrics. What's my coverage? And what's the effectiveness of my controls?" Produced by IDG Communications, Inc.

As more organizations move to the cloud and to continuous deployment, security needs to “follow the ‘as code’ model,” says Marnie Wilking, global head of security & technology risk management at Wayfair. Where historically security engineers and analysts needed to be familiar with tools and implementations for an on-prem environment, the shift to the cloud requires a new set of skills. “If we really want to be able to succeed as security as code, then we need to hire people who can write code,” says Wilking. Her aha moment came when a colleague commented about building a team based on DevOps principles: “it made their team really successful within their business because that was the business model they were following.” Produced by IDG Communications, Inc.

Bob Litterer, VP and CISO of biotech giant Biogen, isn’t a worrier at heart, but there are a few things that keep him up at night. High on that list is the interdependencies in his company’s third-party network; a data breach anywhere in that ecosystem could have a devastating ripple effect. Also topping Litterer’s list of worries are the exposed underbelly of operational technology and cloud sprawl, which can leave organizations with more exposure than they may realize. Produced by IDG Communications, Inc.

Join CSO publisher Bob Bragdon for a new audio podcast series, CSO Executive Sessions which will feature conversations with leading security and risk executives from around the country about the challenges faced by their organizations. You'll hear from some of the best minds in security about what keeps them up at night -- from the ever-present threat of data breaches to growing cloud sprawl vulnerabilities. Also top of mind for these leaders in 2020 is a renewed emphasis on privacy as part of risk calculations and the demand for a new set of security skills to keep pace with the shift to the cloud. Learn how these executives drive the security agenda within their organizations and build their leadership skills in a field that moves at break-neck speed. What better way to prepare for the year ahead than to hear from infosec leaders sharing their priorities and strategies. Subscribe to this podcast on Apple Podcasts, Google Play or Spotify by 1/22/2020 to be the first to listen.  Produced by IDG Communications, Inc.