We continue to recap sessions from this year’s SecTalks virtual conference by sharing insights from two current chief information security officers: Cobalt’s own Ray Espinoza, who has 20+ years of technology experience and held various security leadership positions at eBay, Workday, Amazon and Cisco, and Axel Springer’s Henning Christiansen, who has 20+ years of experience in information security, IT audit and risk management.
In this session, these seasoned CISOs draw upon years of experience managing information security programs within large organizations.
What can we learn from the recent high profile breaches?
When high profile breaches occur, like in the case of SolarWinds this past year, it begs the question: To what extent are we, and other organizations, using this particular software?
To answer this question, security teams need to have a full view of their assets. For larger companies, this can be a challenging endeavor. Henning points out that while the goal is to achieve transparency, you may not have the proper software or asset management in place to do so.
Having a clear view of what’s included in the full environment can also be a challenge for organizations that grow through mergers and acquisitions. Henning notes that sometimes when you acquire a successful company, you want to leave them the way they are and not interfere too much. However, because you are now connected to subsidiaries, it’s important to consolidate numbers and create “micro-connections.”
How do you stay grounded with your security strategy when major breaches cause a stir among management?
It’s inevitable that major breaches will ripple through the industry, causing a company to shift priorities; therefore, it’s important to stay flexible in your security strategy. Ray highlights that while the foundation of your strategy might not fundamentally change, it’s about organizing and maturing the security programs with specific initiatives over time. He says it’s a balance of being methodical and pragmatic while being able to account for the context of a situation.
When a major breach occurs, the interconnectivity between businesses can also influence what top management wants out of the security team. Henning notes the recent breach of the Berlin-based company Funke Media Group, and that due to Axel Springer’s ties to the company, their top management became aware of a phenomenon like ransomware for the first time. Ultimately, as these major incidents occur, top management wants to ensure the organization is secure, and that they, as top management, are doing the things they are required to do and living up to their responsibilities and accountabilities.
It’s also about understanding what threats are really about—money. As Henning puts it: you don’t know when, where, why, and specifically, who they might come from. Profitability is the ultimate goal of threats and cyberattacks, irrespective of the industry and size of an organization.
It’s also important not to let security become “out of sight, out of mind” with the management team, Ray says. When major breaches cause a stir in the industry, security teams want to talk about them and use them as a means to drive education with internal stakeholders— getting them to think about security, to support security and to start asking the right questions.
How do you maintain a consistent security bar across larger organizations?
At larger organizations, or ones with subsidiary groups, it can be challenging to manage and maintain a consistent security bar. There are varying levels of security maturity, Ray says, with some organizations valuing security as a core piece of their business and investing in it early, versus others who don’t see it as a priority.
However, both Henning and Ray have found that connecting people and teams can help solve this problem. Henning adds that for Axel Springer, because there is a high degree of independence given to the different units, he tries to network and connect people across units whenever possible. While this takes time, it ultimately opens up an opportunity for information exchange and for different units to learn from one another.
Other ways to maintain consistent security, Ray adds, are by creating security champions— bringing security-focused individuals together from different business units—as well as adding a security-related goal for everyone within the organization.
What advice would you give security leaders in smaller organizations to get their program off the ground and get buy-in?
For smaller organizations, Henning says, it’s about how you use and deliver information. Understand that you are responsible for being fully transparent about where you are and what your security level is, and that it’s important to convey that information to top management. It’s about speaking to the management team and stakeholders with the right level of language and details, like using concrete examples, so both parties understand the respective risks.
Ray adds that for smaller organizations, turning technical topics into takeaways that speak to leadership can be another way to get security programs off the ground and achieve buy-in. Try to make your message succinct—what you’re focused on, what you’re worried about and what this means for them.
What does compliance mean for security teams in larger organizations?
Security and compliance are not one in the same; an organization with compliance certifications does not ensure that it is 100% secure. But, compliance can be a way to instill confidence in customers. Henning says that whenever he is looking to buy IT services, he specifically asks for a SOC 2 Type 2 report as a way to get a picture of what the security looks like in the organization. So, while certifications don’t necessarily mean an organization has complete security, they are a good way to see that an organization is undergoing a high effort to secure their services.
Watch the live recording of this discussion and learn more about the event host, Cobalt’s Pentest as a Service (PtaaS) Platform.