How are “next generation” CISOs approaching upskilling their team?

I think what I'm driving for as we look at 2021, is really well articulated training programs to advance the skillset. So our security engineers think like developers, and then they test hackers. And I think a combination of those two skillsets is the right combination, especially in relation to what the threat landscape is doing right now. We do a lot of advanced computing in the cloud and in containers. I've shifted our whole cyber focus, including our tabletop exercises. We do code resilience testing, to make sure that our products are stable. There's also a mindset shift that has to happen around the traditional way of doing security, to view it as a service. A service has to understand what that client, especially our developers and our engineers, needs. Evolving that thought process with your teams ensures the service fits what your internal customers are doing. Years ago, we were working on rightsizing the number of procedures we had, and actually making it more nimble for the developers and engineers. We've spent a lot of time automating the standards, so instead of the security policy sitting outside of the system, we've actually taken the requirements and embedded it in code.

17 views
3 comments
1 upvotes
Related Tags
Anonymous Author
I think what I'm driving for as we look at 2021, is really well articulated training programs to advance the skillset. So our security engineers think like developers, and then they test hackers. And I think a combination of those two skillsets is the right combination, especially in relation to what the threat landscape is doing right now. We do a lot of advanced computing in the cloud and in containers. I've shifted our whole cyber focus, including our tabletop exercises. We do code resilience testing, to make sure that our products are stable. There's also a mindset shift that has to happen around the traditional way of doing security, to view it as a service. A service has to understand what that client, especially our developers and our engineers, needs. Evolving that thought process with your teams ensures the service fits what your internal customers are doing. Years ago, we were working on rightsizing the number of procedures we had, and actually making it more nimble for the developers and engineers. We've spent a lot of time automating the standards, so instead of the security policy sitting outside of the system, we've actually taken the requirements and embedded it in code.
0 upvotes
Anonymous Author
The level of discussion and accountability as a senior director is a bit transformational. I can only imagine that at the C-level or CISO level it’s even more profound. Reorganization and centralization helped our team. Previously, we had a very bifurcated company where all the lines of businesses had a different CIO. And it was only about two and a half years ago that they centralized under a single CIO. Then you had to look at the different tools in the various lines of business to determine if they are actually commensurate to each other, providing the same level of coverage and protection that we need from an enterprise, or even meeting expectations. When we spoke to different team members, their benchmark or their goals were different. It was eye-opening and highlighted potentially a false sense of security; we were measuring towards different goalposts. Then we had to determine: “How do we drive a shared understanding of what the expectations are that align with our business risk?” And, from there we could march forward. Now there has been an increased focus on operational technology, especially with COVID-19 and vaccines. So understanding the metrics around our coverage or risk factors as it relates to our distribution centers is important for our team. Do we have the appropriate controls in place to mitigate against those emerging attack vectors or threats, and then likewise, compliance with the Center for Disease Control and other government regulatory contracts.
0 upvotes
Anonymous Author
I think some of the concerns that we're grappling with now is making sure people are working on the right things and trying to retain all those folks without burning people out. We've been really focusing a lot on prioritization and it seems to help for a bit, but then everything is important again. We keep going back to that same old logic of, okay, is that really above the line or below the line? It just feels that line's always changing. We pulled together our shared services groups (digital, cyber and infrastructure) because in all three groups, to do anything we need buy-in from the other teams. Now we have a shared strategy across all three groups. We prioritize together and it's actually worked out really well. We've got another two year strategy in place. Now we're trying to get the rest of the different IS groups to understand, your fire doesn't become our priority. I think it's about trying to get a common understanding for what it means to those groups that go across the whole company that support technology. Getting them on board and making sure that we have shared priorities or at least go through some type of central prioritization process.
0 upvotes