"Moving myself out of my security 'ivory tower' was one of the best things I ever did"
Dr Paul Lewis, Senior Director of Cloud Security, Elsevier discusses understanding business security needs and the CISO role with Sebastian Avarvarei, Director for Security Advisory Services Europe at Wolters Kluwer and Chad McDonald, CISO, Digital.ai. Hosted by Thom Langford, Founder, TL(2) Security.
View the full Webinar here.
We've found, across a number of organisations though, is that as the remit of audit has expanded, they've actually not deepened their knowledge of the technology or the security as much as they should. And I've seen, on numerous occasions, some very egregious issues and vulnerabilities actually being completely passed over, completely missed as a result. So it seems like they've got the one thing we want. And we've got the one thing that they want. We've got the technology and security understanding, and they know how to talk to people.
Yeah. And it's a really interesting cultural thing, isn't it? Because when you start boiling all these things down, ultimately, communication is part of culture and so on and so forth. But when you start thinking about things from a-- there's a question just there from, I believe, Kate about behaviours. One of the best things I ever did as a security practitioner was to go and actually speak to people who are not security practitioners and understand how they work, developers, auditors, business analysts, people from the business, formulation chemist, in my own career, and actually speaking to them and saying, what actually keeps you awake at night? And moving myself out of my security ivory tower was actually one of the best things I actually ever did.
Yeah. Yeah, absolutely. In fact, a CISO's role is not necessarily about the technology security. It's not about making the company more secure. It's about helping them sell more stuff, improving security. Absolutely.
And in fact, Chad, I think you mentioned in the preparation call that we had about-- and correct me if I'm wrong here-- about in the early days of CISO careers, the default answer was always no. Because, hey, that's more secure, right? It's risk avoidance, if nothing else.
Exactly. Again, as Tom mentioned, when I was a young man with new security shoes, so to speak, no was the order of the day. If it doesn't fit in this box, then we're not going to do it. The end. Bottom line.
These grey hairs and battle scars have helped me learn that, really, the role of the CISO is to enable business. And for me and for a lot of organisations, that is selling something. So ultimately, you're trying to enable faster, better, more profitable business, and putting guardrails on what some business function is trying to do to do it in a reasonably secure way.
Yeah. Definitely recognise that. I had exactly the same growing into the internal security, starting from the position of, well, I'm the gatekeeper who has the rubber stamp with the yes and the no, and then realising that that actually doesn't make me very popular in the organisation and especially doesn't help the organisation. When I started to try to talk more and to listen more, projects were coming. OK, what exactly are you trying to deliver in this project? Right, OK, so I see an issue here.
So this is a risk. Let me work with you and see how can we solve it. So turning the discussion from, no, you cannot do it, to, let's see how can we do it together. And this is a paradigm shift that helped me also later when moving more towards the security governance, security management, and understanding that the role of security, at the end of the day, is not even to say yes or no. The role of security is to help management quantify the risks. As I said earlier, with some numbers, try to bring some information about what's happening in the dark web and letting them know what are the threats that we see out there but letting them make the decision in the end.