I’m the Chief Information Security and Privacy Officer (CISO & CPO). I pioneered an integrated global InfoSec and Privacy program, developed a long-range strategic roadmap linked to business objectives and built a strong team from the ground up. I’m responsible for the delivery of multiple services, including but not limited to:
The CISO role has evolved significantly in this decade. Depending on the risk appetite and scale of digital transformation in organisations, the CISO role now spans across some or all of the following personas:
When I started my career as a CISO in 2003, I was spending most of my time in persona one above. Currently, my role spans personas two through four. The convergence of security, privacy and enterprise risk also offers potential for CISOs to become Chief Risk Officers (CROs) of organisations going forward.
The winds of change are blowing through today’s workplaces. Macro trends such as Industry 4.0 and distributed work require companies to enact and accelerate digital transformation powered by the cloud. Technologies such as Artificial Intelligence (AI), blockchain, edge computing, the Internet of Things (IoT), autonomous vehicles, robotic process automation, etc., are helping to foster innovation and competitive advantage.
The security and privacy risk nexus of the IoT brings a unique set of challenges. Nation-state hacking and supply chain threats are also major factors in the evolution of cyber risk.
Cybersecurity Ventures projected there would be 3.5 million open positions by the end of 2021. Thus, companies are not able to staff up appropriately with the highly skilled resources needed to protect the enterprise. Ultimately, the exponential rise in security threats and the acute shortage of InfoSec resources makes these very challenging times in cybersecurity.
Remote or distributed work is here to stay. There’s a paradigm shift underway due to:
As a CISO, I believe I should help enable the business. Given the above trends, it’s now par for the course. Further, the trifecta of identity, Zero Trust and software defined perimeter power seamless access to “anytime, anywhere, authorised” access to digital applications and services.
I believe that adoption of Zero Trust will accelerate. Dynamic threat protection will be further propagated by security providers banding together in alliances and tightly integrating their platforms to strengthen Zero Trust. One such example is the Spectra alliance between Okta, Proofpoint, Crowdstrike and Netskope. Another example is the Zero Trust alliance between ZScaler, Cloudflare and Sentinel One. This trend benefits enterprises and providers. I expect that this trend will grow. InfoSec professionals will also band together to share best practices via organisations like the Cloud Security Alliance.
This is the second CSO50 award for Nexteer during my tenure — our first was for identity lifecycle management. Our 2020 award was for the thought leadership and deployment of an IoT security platform in our manufacturing plants. This platform enables:
As Nexteer embraces digital manufacturing to increase efficiency and optimise operating costs, there’s been an explosion of IoT devices on the plant floor. Further, more and more of our home devices are becoming internet connected. The exponential proliferation of IoT devices and immature security practices make them targets for attack.
Key CISO guiding principles for Nexteer’s IoT security deployment are as follows:
The IoT security platform enables visibility to all devices on the manufacturing network. It allows us to identify device posture in real time, detect embedded threats and drive proactive control strategies. This enables enterprise risk management and strengthens cybersecurity.
My first step was to build a detailed services and competency framework with the skills needed for each role as well as a strategic hiring plan. We periodically review and update this framework. It can also be used for career pathing and succession planning.
Further, I employ the following steps and strategies to manage and develop talent:
I’m also pleased to say that my team is diverse, with 50% men and 50% women. This has also helped drive synergies and creativity.
Early in my CISO career, I was on the cusp of enacting a global network and security transformation. I worked hard to build a strong business case and payback to illustrate the value. However, times were tough. The board cut, so my budget was reduced, and I was still asked to lead and complete the transformation.
I embraced what I now call “the power of federation.” I reached out to all the key partners for help and found win-win strategies. I obtained significant discounts for professional services. For software, I consolidated contracts in the U.S., since our budget was euro-based, allowing us to benefit from the exchange rate. Ultimately, we finished the project under budget.
We saved significantly on operating costs, strengthened enterprise security, enhanced network quality of service and consolidated servers. The project inspired multiple case studies and resulted in a Network World All Star award.
Essentially, the most profound executive decision I made was to ask for help and not quit. I learned early on that building strategic, trusted partnerships and strong business relationships can be a great asset to all parties.