In turbulent times organizations need to focus on business priorities and restructure processes and teams. How should security leaders set their priorities and how do they tackle the security incidents at scale – even as security budgets remain flat? And what are the communication strategies that CISOs need to adopt while communicating with Board members and other stakeholders?
Caroline Wong, Chief Strategy Officer at Cobalt.io, answers all these questions in an interview with Brian Pereira, Editor-in-Chief, CISO MAG.
Cobalt is a cybersecurity company with a focus on Pentesting as a Service.
Caroline was featured as an Influencer in the Women in IT Security issue of SC Magazine, named as one of the Top 10 Women in Cloud by CloudNOW, and received a Women of Influence Award in the One to Watch category from the Executive Women’s Forum. She authored the popular textbook Security Metrics, A Beginner’s Guide.
Caroline is a strategic leader with strong communications skills, cybersecurity knowledge, and experience delivering global programs. Her close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga.
Edited excerpts from the interview follow:
In times of austerity, organizations have to make do with lean teams. What should be the priorities for security leaders when their teams are reduced?
Leaders should always ensure that the basics are covered. At a bare minimum, this includes incident response planning (logging and monitoring) and security awareness (make sure folks know what to do and who to contact if they suspect anything potentially malicious).
CISOs are used to constant change, and often try to cover as many gaps as possible. While this can work in the short term, I believe it’s more important to prioritize, allow the right balls to drop, and communicate transparently. A security leader must effectively communicate what is covered and what is not for any given business situation. The more consistent a leader can be in their communications, the more trust they can build with executives and stakeholders.
How do teams scale up and innovate without additional resources or budgets?
First, it’s critical to understand the way your company manages budgets, so you can accurately evaluate your options. For example, maybe your hiring plans have to be put on hold, but you still have discretionary OPEX to spend. Or vice versa. Having this type of specific knowledge will help you determine the best balance of technology, people, and process — whether you choose to build these in-house or outsource them to a third-party.
We observe an increase in security incidents during the pandemic. In an approach to handling these incidents, to what extent can automation help in scaling? What role do humans play here?
Automation can play a large role in scaling, but it’s important to remember that some types of activity may be a better fit for automation than others. Tasks that are well-defined and repeatable are good candidates for automation, whereas those that rely on judgment, creativity, and opinion are not. Remember that scaling can happen not only via automation but also by leveraging SaaS services and products. If you can get the same work done using a SaaS solution (rather than building teams and technology internally), it might also help you to scale cost-effectively.
How does a security leader communicate the importance of growth and scale top-down? What are the communication strategies to adopt for the Boardroom discussions?
Transparency and trust are key. The more a security leader understands the strategic goals of the business, the more they can effectively communicate them to their teams and help folks to understand how their day-to-day security work helps to impact the top-level organizational objectives.
Every organization goes through “ebbs and flows,” and it benefits security leaders and their teams to stay aware of what type of phase an organization is going through at any given point in time. During an “ebb,” security teams may be less likely to get new budget allocations or an increase in resources. In this case, scrappy and frugal behavior might be the best fit. During a “flow,” however, especially in times of rapid growth, there may be an opportunity to consider simple and efficient solutions that will scale easily without complex overhead, even if (on the face of it) it may not appear to be the most cost-effective solution.
I always recommend to security leaders to consider not only the upfront cost of any initiative but also the ongoing cost to maintain and operate security activity going forward.
Similarly, it benefits security leaders to really understand what the board cares most about (is the company making progress towards its strategic goals?) and to frame security programs within this context.
What approaches work best to make the organization more “security aware”?
Security awareness is not something that is one and done. Security requirements are constantly changing so training should be a continuous process. Because of this, having 2-3 min on-demand, “learn when you need it” training can be very useful to enable team members to learn about security concepts “on-demand” and at the moment when they need it. Additionally, security leaders should develop relationships with leaders at similar companies. The more that someone, like a CISO, can reach out to his network, he can bring those anecdotes to his business conversations and say, “Well, so and so at this company is doing this, and we should be aware of that and consider if we should follow suit or not.”
About the Interviewer
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).