The CISO in 2020 (and beyond): A chat with Bruce Potter
You’ve probably run into a few headlines declaring that 2020 saw “the rise of the CISO.”
Well, we agree.
This year required all of us to step up to the plate and step outside of ourselves to meet completely unexpected and phenomenal challenges (we’re on a hiatus from using “unprecedented”).
And in the tech world, we saw the role of the CISO evolve – pushing a member of the C-suite who’s used to working behind the scenes to being front and center.
Now that we’re finally reaching the end of 2020, we’re taking a moment to look back.
So, I sat down (virtually) with Expel’s CISO, Bruce Potter, to reflect on this year – how we overcame the challenges it presented and what anyone in security should be thinking about as we enter a post-2020 world.
There are many things that won’t go back to being the way they were before 2020. Do you think the role of the CISO is one of those things?
Yes. I think that coming out of 2020, CISOs will have a more central role in businesses. CISO’s have been front and center in many organizations’ pandemic response. The ability to meet risk objectives while working remotely is the only way most businesses can continue to operate. And in the case of the CISO, that meant many of them had to complete remote work projects in days that would have otherwise taken years. The success of a company’s remote work strategy is in large thanks to the work of the CISO.
During my time as a CISO, I’ve learned to focus more on rapid understanding of a problem and leveraging experts to get a solution out fast we can iterate on. It gets us better near term defenses and in the long run is less resource intensive. This is something every CISO needed to quickly master this year.
I think security really is an enabler during COVID and many executives see that a good CISO can be a differentiator, not just something required for regulatory purposes. I expect CISOs to be elevated in org charts and be responsible for broader swaths of risk, not just cyber.
Everyone wants to know – what are the biggest security threats we should be aware of?
Far and away, that’s what takes down companies. From the latest Twitter hack to some of the earliest attacks on the Internet, social engineering is still the number one way companies get compromised.
Combined with ransomware tooling, the impact can be devastating. We’re a long way off from solving this issue as we generally have poor authorization schemes in our organizations. Users tend to have far more access to data and systems than they need, but solutions to help with that are few and far between.
It’s clear that orgs can’t get away with not taking security seriously. What did you include in your 2021 planning?
We’re focusing on three major areas for 2021:
1. Product and software security.
Looking beyond the security of your enterprise and focusing on the security of the services and products you are developing is an important part of the overall security of an organization, but sometimes it falls outside the scope of the CISO’s role. In our case, it’s squarely my responsibility and it’s a huge focus for us in 2021.
2. Formalized risk management.
Paying attention to security tech is only one part of a functional security program. Having formalized processes around security and privacy risk management is a function that is often more “seat of the pants” than a formalized thing. We’re working to codify our risk management processes to make our risk management a more repeatable and efficient process.
One thing we’ll continue to do here: Not rely on vendors to tell you what questions to ask when it comes to assessing third-party risk.
We’ve developed our own third-party questionnaire and narrowed it down to 10 (what we think are really good) questions.
3. Cloud authorization.
We’re cloud native so it means we’re all cloud all the time… and as much as we have sign-on signal (SSO) – we don’t have centralized fine grained access control to cloud services. We have to configure authorization for each service, which doesn’t scale (obviously). It’s time to fix it.
Expel recently gained ISO/IEC 27001:2013 certification and integrated the ISO/IEC 27701:2019 extension to our certification.
Does this mean that all orgs should do this?
The simple answer is “maybe.”
It depends on if your customers care about how secure you are. The answer for a law firm (as an example) vs. a SaaS provider is probably very different.
When you’re providing online services, you need to be able to express to your customers, in a very believable way: “We know what we’re doing from a security perspective.” There’s a lot that goes into that, including transparency in operations, having good processes and procedures and having an architecture that lends itself to securely handling customer data.
ISO27001 and ISO27701 are great certifications that can help you demonstrate this to customers.
While certifications aren’t the be-all-end-all when it comes to building trust, they’re a fantastic starting point.
Looking back at the dumpster fire that is 2020 – are there any lessons that you couldn’t anticipate needing to learn but you will now keep in your toolbox moving forward?
I couldn’t anticipate that one day I’d need to get every single member of my company working fully remote within a 72-hour timeframe.
We ended up spending a lot of the year being concerned about our employees, their welfare and the quality and security of their home networks.
Being successful in 2020 required having a very personal touch and view of our security controls. I think keeping that customer focus going forward will allow us to have low-friction security solutions that people don’t work around or ignore.
It’s safe to say that CISOs were in pretty high demand when it came to interviews. Is there a question you wish someone asked you this year but didn’t?
How has productivity and innovation been impacted by working from home?
It may seem like a CIO or COO type question, but I think security has a big impact on this as well. The security controls in place when collaborating in person (say in a conference room) vs. remotely (Zoom? Slack? Virtual whiteboard?) are very different. Ensuring that your security program is not getting in the way of collaboration and productivity is very important. Ideally, your security program enables collaboration and productivity. Ensuring your actions as a CISO are aligned to the business needs, not just business security needs, can be a real differentiator this year.
Let’s hear it for the CISOs! Seriously, thank you.
To say that working through this year wasn’t easy is an egregious understatement. We’re appreciative of Bruce – and our entire Expel team – for never skipping a beat when it comes to keeping our customers and our Expletives safe.
We hope these insights are helpful to you as you complete your 2021 planning.
Do you have any burning questions that we didn’t cover? We’d love to hear them!