Tell us about your role as a CISO.
As the CISO at Code42 I lead global risk and compliance, security operations, incident response, and insider threat monitoring and investigations. Most recently, my responsibilities expanded, and now I also lead our global IT organisation as the vice president of information systems.
How has the role evolved and increased in credibility in the last few years?
Not so long ago, the role of the CISO was heavily focused on managing the black and white security controls of a business. Today, the pendulum has swung in another direction and now, CISOs are more focused on assessing, managing and mitigating risks to the company and its data. Some CISOs are so entrenched there that they could serve as the organisation’s chief risk officer (CRO). Any CISO that can make risk-based decisions is a much more credible partner to the business than a CISO who pitches doom and gloom scenarios. You have to be able to solve challenges in a context that benefits and helps the organisation grow, all while maintaining the risk posture set by the board and the CEO of your company.
The roles and responsibilities of the CISO at McKesson
Given all the advances in modern day technology, is security now more of a priority?
As businesses, we want more transparency, accessibility and visibility into our data and operations. And we want it fast. That’s why it’s more of a priority today than at any other time to apply security in the proper way. More and more CISOs are reporting directly to CEOs, which points to the increasingly important role CISOs play in assessing and managing risk for businesses.
What are the best preventable security measures and solutions online?
There are a few tools that are critical to being able to protect an organisation. Phishing is one of the easiest ways for adversaries to launch malware attacks on organisations. For that reason, email inbound security tools are absolutely indispensable in helping to significantly reduce rates of phishing. EDR (endpoint detection and response) is an effective tool for identifying threats on endpoints and immediately taking care of them. Finally, it’s vital to have visibility of where all your data lives and how it moves across your environment – including to cloud applications – so that you can speed up the detection of and responses to threats. We use our own solution (Code42® Data Loss Protection) at all times for data visibility.
What are the biggest challenges you face in the role?
There are two main challenges that the entire cybersecurity industry faces. First, security practitioners are challenged to keep up with a high volume and wide variety of threats. Second, compounding the highly active, dynamic threat landscape, is a talent shortage. As a CISO, it is very challenging to not only recruit knowledgeable talent, but also retain existing talent.
What it means to be a CISO in a changing threat and regulatory environment
In an increasingly complex regulatory and threat environment the position of the CISO has been forced to evolve. Information Age discussed this transition with Matt Palmer, who recently moved from CISO to senior director of Cyber Risk Management at Willis Towers Watson. Read here
How do you ensure your wellbeing?
I need to remind myself that security is the responsibility of all employees and ensure everyone is taking accountability to the risk of the organisation. The role of a CISO is a very stressful role that can sometimes feel like there is no way to catch up. In times of high stress, I make sure to maintain a regular exercise routine and also take days off to recharge.
What do you enjoy most about the role?
I love solving a variety of problems, and in security, there are no shortages of challenges facing us. The other thing I really like is that decisions and reactions need to happen very quickly. I love the pace and how quickly things change. No two days ever look the same, and that is energising for me.
Have you always had an interest/background in technology?
I was always very interested in technology in high school and had a mentor that saw my interest. He was the technology coordinator for our entire school district, and I worked for him a few days a week. We would buy all sorts of different computer parts and then assemble the lab’s computers. He taught me the basics for everything that falls under the information technology umbrella.
After graduation from university, I worked for Deloitte in their enterprise risk services team. Deloitte was on the leading edge of cyber risk. I was doing penetration testing when companies didn’t know what a pen test was. It was a great opportunity that transitioned me from IT into cybersecurity and spurred a deeper interest in the industry that never went away.