“In reality, if you focus on those fundamentals, you’re going to be in a much better position than spending all your money on the latest amazing tool.”
Lindsey O’Donnell-Welch: In your experience, how have you seen the CISO job change over time, either in responsibilities or in relationships with others across the organization?
Bryan Willett: I remember the conversation very, very clearly, when I first was considering taking this role, I had a conversation with the vice president of R&D, because I owned product security at the time, and I still wanted some influence, but I was going into an IT security role. And he very clearly said, “you’re going into IT security, you don’t own product security when you take that role.” What I have seen evolve from that mentality, though, is a recognition that security risk is much broader than that. And I hit on it earlier, that if an attacker gained access to my environment, they have the potential for getting into our products, getting into our source code and manipulating that, or they have the potential of getting into maybe our manufacturing process and manipulating that. And when you start to look at that overall risk matrix or perspective, you realize that it’s not just the data, it’s also the potential collateral damage that could happen if somebody got in your environment, and you have to holistically look across all areas of the business. So that’s probably the first is, as a CISO, if you’re limiting yourself to just IT security and your aperture isn’t wider than that, you’re setting yourself up for a tough day in the future. So that’s one. Two, and I hit on this a little bit earlier, but supply-chain security is becoming huge. It is a huge concern for anybody buying software or hardware. And it’s important for an organization to have a champion somewhere that is driving that mission forward. For me, I found it important that we do that, we being the security organization. The reason that we took that banner and ran with it is we’re probably in the best position looking both at third-party risk, because we look at that regularly. We also work with customers on their concerns around security, and holistically looking between that and the certifications we have to get anywhere in our products, we were well positioned to start looking into the supply-chain side, and where are the risks both on the development side, and the manufacturing and then the logistics side of delivering a product. So that was a key area. The third area for me would be that as a CISO, it started as a very technical role, it really was someone who was an IT practitioner who got elevated into a CISO type title. Where I see it going, though, is definitely someone with a lot more business acumen, understanding what the business strategy is, understanding what the security organization’s impact on that strategy could be, and figuring out how to be an enabler for that. I see that as being a big part of the security role in the future.
Lindsey O’Donnell-Welch: What top security advice would you have for organizations?
Bryan Willett: First and foremost would be focusing on just fundamental security hygiene, cyber hygiene. If you look at something like the CIS 18 framework, they do a very nice job of laying out what your priorities in an organization should be in order to further better secure your environment. And they’ve done such a nice job that when you go look at your fundamental cyber hygiene, you should really be prioritizing those in order. You need to know what assets are on your network, you need to make sure that you have developed hardening standards for those, you need to measure that, you are compliant to those hardening standards. You need to be able to patch those systems, you need to be able to monitor those systems, you need to be able to manage identity. So many times, I think individuals or organizations think there’s a silver bullet out there to solve all your security problems. In reality, if you focus on those fundamentals, you’re going to be in a much better position than spending all your money on the latest amazing tool.