A highly anticipated session this year was the CISO panel led by RSA Conference Program Committee Chair Hugh Thompson. Sitting down with several CISOs from global organizations responsible for overseeing and securing our most critical infrastructure during the pandemic, the panel shared their top learnings and priorities moving forward and the expanding role of the CISO in a new digital world.
Florence Mottay, Senior Vice President Information Security and Global CISO at Ahold Delhaize, opened up by addressing the human side of the pandemic and the resilience of employees in a time of crisis. “Security professionals are used to dealing with a crisis, so we are good at it,” she stated. The employee experience and well-being of workers was a common sentiment echoed by many CISOs at Conference this year. Florence held a town hall two weeks after the lockdown and started a process called the Vitamin Shot, where each team lead held morning meetings that enabled employees to discuss their personal struggles, particularly the challenge of working remotely while having to help kids with virtual learning or worry about elderly relatives who were vulnerable to the virus. This helped keep teams connected and engaged and enabled some to build relationships with colleagues in different countries who they might not have had the opportunity to work with otherwise.
Lakshmi Hanspal, Global CSO at Box, reaffirmed the notion of putting people first and the importance of organizations to lead and operate with empathy. As organizations move from crisis mode to strategic mode, Hanspal suggested there are many opportunities for CISOs to capitalize on as we make the “shift to next,” including finding better ways to work with the communities we support, build better private and public partnerships, and focus on ensuring supply chain resiliency. Hanspal said, “We need to put the spotlight on shared responsibility and the values of corporate citizenship.”
Many on the panel highlighted how the role of the CISO has changed due to the pandemic. Marene Allison, CISO at Johnson & Johnson, felt that change more than most. With Johnson & Johnson being responsible for developing one of the most critical vaccines of our time, she noted CISOs were suddenly “thrown into the spotlight” as risk management, securing infrastructure, and protecting intellectual property across the healthcare industry has become more than just a business problem but necessary for humanity and the common good. Allison also mentioned that having to pivot to a new digital economy with such speed provides a great opportunity for organizations moving forward to be more resilient and innovative. Allison noted those who had already adopted cloud services found the transition easier and allowed for rapid innovation in the way we deliver healthcare, such as the use of telemedicine.
Darren Kane, CSO at nbn™, experienced the changing role of the CISO personally. Responsible for a network delivering broadband access to millions in Australia, Kane was asked to step up and lead the company’s crisis management response. The pandemic helped him realize the critical role the CISO plays in the face of crisis. In Kane’s case, being resilient was an imperative that meant the economy could continue to function. Moving forward, Kane anticipates that the role of the CISO will develop and grow into a Chief Trust Officer where the focus will be on building security and reliability to create trust. “You have to trust the provider and the service being provided, and we are the custodians of that trust.”
Dr. Reem Al-Shammari, Digital Transformation Leader of Corporate Solutions and Digital Oil Fields at Kuwait Oil Company, stated that the CISO would become “the champion for digital transformation” and expressed the importance of developing cybersecurity as a culture that needs to be reflected everywhere and aligned to the business.
As corporate culture and the role of the CISO shifts, technology would play a pivotal role in enabling it all. Phil Venables, CISO at Google Cloud, discussed the role cloud providers will play in supporting organizations to enhance security with what he calls “usable security.” While organizations have invested heavily in user experience and design, Venables noted that the same investment has not yet been realized in security. “Good security is not about mitigating risk but providing business benefits.” Venables also highlighted the role usability plays in workforce productivity. “We talk a lot as an industry about the cybersecurity skills challenge where we need more cybersecurity people, but perhaps what we should be focused on is 10x the productivity of the cybersecurity professionals we already got through radical improvements in the tooling we give them to do their job.”