The role of the CISO is expanding alongside the growing adoption of digital technologies, which has resulted in a faster and more interconnected workforce. The dynamic and evolving nature of cyber threats is posing challenges for security teams in terms of visibility and expertise required to defend against them. Kory Daniels, Trustwave’s Global CISO and Trina Ford, AEG’s SVP and Global CISO, recently discussed these issues and shared their insights with fellow security leaders at the ISE Cybersecurity Executive Summit.
In this conversation, Trina emphasized the importance of adopting a strategic approach to threat readiness and resilience that begins with establishing relationships with key stakeholders, such as the CEO, CFO, business leaders, and legal teams, and understanding the risks from their perspectives.
While many leaders recognize the importance of metrics, Trina highlighted the need to also take a data-driven approach to metrics that incorporates and reflects what’s important to the business. Taking this approach ultimately influences the culture and leads to strategic partnerships. By actively engaging and partnering with the business, metrics can be identified that effectively communicate potential risk to the business and inform their perception of the organization’s threat resilience and readiness posture.
Internal partnerships can make or break the success of the CISO in managing the businesses’ understanding of risks. Due to capacity and the skills shortage, competition, and burnout, the discussion has shifted to the importance of external partnerships. The concept of vendors or partners in third-party relationships plays a significant role in the success of both Kory and Trina. Internal and external partnerships based on trust are paramount for helping security leaders navigate today’s difficult challenges.
This conversation underscores the need for a strategic and collaborative approach to threat resilience and readiness, striking a balance between investment and risk tolerance in a highly competitive business environment with highly motivated threat actors.
Check out Kory and Trina’s conversation below:
Kory: How can we effectively communicate cyber priorities and gain buy-in from across the business?
Trina: Communicating cyber priorities requires adopting a two-pronged, strategic approach that involves understanding business priorities and establishing genuine, trusted relationships, starting from the CEO, CFO, and COO, and extending to business leaders, Legal, and other relevant teams. If CISOs want buy-in from business partners, we must demonstrate that we “get it,” and align the cyber strategy to business imperatives and priorities. It cannot be a “check the box” exercise because that approach usually does not take business priorities into consideration.
For my employer, it’s about getting fans to our events and the fan experience. I consider this aspect whenever I engage with the C-suite or business leaders. Having this framing and understanding of the business imperatives dictates my approach and helps form more collaborative partnerships that result in regular interactions, which provide a forum for information sharing and communicating cyber priorities.
Another important tool is sharing security metrics through a balanced scorecard that conveys cyber priorities and business objectives, which resonate with the C-suite and business leaders. My goal is to align the data with what I understand to be important to the business. This ensures that I demonstrate how the cyber program is set up to enable their strategic goals and improve the company’s overall risk posture, which usually leads to buy-in and ultimately translates into action.
Kory: We all know the world is moving quickly, and technology is always evolving. Historically, the security organization has had a lot on its shoulders, but during the age of digital proliferation, the scope of cyber programs rapidly increased to the point where security alone is not sufficient to mitigate against the modern threat.
However, with that said, we can’t be overly reliant. While we may make significant investments in security, it will never be enough to stay current. If someone wants to target our business, there is a chance they might succeed, so we must go to the next step and think about the vulnerability of our data. It’s paramount for everyone to know their role in protection.
Kory: How can we effectively respond to a breach and leverage insights from other breaches?
Trina: Performing risk and threat assessments are always a good first step to proactively positioning a company to respond to a breach, as those assessments help identify threats in the industry that are applicable to your company and potential risks to the organization. Understanding your threats and risks presents the opportunity to prepare for and implement effective controls and safeguards to defend against bad actors and cyber criminals.
Additionally, when data breaches make headlines, it provides an opportunity for other security leaders to demonstrate and communicate to their C-suite and business leaders how their security program is set up to respond to a similar attack or how gaps in the security program and operating model could leave the company vulnerable and unable to defend against such an attack.
By identifying any gaps and illustrating the potential consequences, security leaders make a case for budget allocation to proactively address those vulnerabilities or areas of weakness, and ensure appropriate defensive measures are in place to reduce operational impact and support resilience.
Kory: In a hyper-competitive industry, trust is paramount with consumers and investors. Trustwave’s risk tolerance for a breach is very low, so we’re constantly evaluating ourselves. Our first line of defense is our user base, the second line of defense is the business units, and the third is the security technology.
Do you have any final words of wisdom for everyone?
Trina: Cultivate strong relationships within the business. We can achieve much more when the business perceives us as partners rather than dictators. Change your approach with vendors and start viewing them as strategic partners and an extension of your team. Invest in each other's success because if a breach occurs, it has the potential to affect both parties. The need for true partnerships has evolved, information sharing is key, and taking an integrated approach to security is a must. Establishing strong relationships, both internal and external, provides a different kind of layered defense that security technology alone can’t provide.
Read more about bringing executives into the fold on cybersecurity in a recent blog: 6 Tips Any CISO Can Use to Inform their Organization’s Executives on Cybersecurity.
