With their company's systems, data and brand to protect, Chief Security Officers (CSOs) were once considered just the people who said "no." Now, CSOs are abolishing the barriers that once existed between the security organisation and the rest of the business.
AVAIL caught up with Sungard AS Global CSO Shawn Burke, who talks about taking on security challenges in this new era of collaborative security.
Q: Shawn, you bring two decades of IT security experience to your role as CSO. With today's cybersecurity challenges, how has life changed for the CSO?
Traditionally, cybersecurity was viewed as an IT-centric responsibility, and the CSO would focus solely on applying technical controls for mitigating threats. With the rapid evolution of technology, vast amounts of data at our disposal and regulatory requirements, cybersecurity has transformed to being more top of mind for the rest of the organisation.
Now, CSOs often have a seat at the table with the board and executive leadership. There is an expectation for the CSO to have a full understanding of business strategy and objectives and to translate that into operative information security controls. These controls are not always directly under the CSO's charter, so they need to collaborate effectively with the rest of the organisation.
Q: So, it's more of a shared ownership for security?
Yes. I recently did an interview about how to be a successful CSO and I talked about the importance of building relationships and having the communication skills to engage with the business as a trusted advisor. To learn how to influence, instead of just delegating and managing security directly.
To accomplish that, the language of security leaders is becoming less technical and more business oriented, so their risk management methodology can be clearly articulated and understood by business stakeholders.
So, as a CSO, it's no longer just about evangelizing how important security is and saying "no." Our value comes into play when we figure out how to enable the business with different services, while they're still being protected.
Q: Do you have an example of how that collaborative model works at Sungard AS?
Sure. When it comes to integrating the security function with overall business processes, one avenue taken by my team is to closely align with the Program Management Offices. So, if there is a formal project, security requirements and review will surely be a part of the plan. The key is instituting an enforced situation for meeting those security requirements, while staying aligned with business initiatives and being a good partner.
For instance, our global operations team is responsible for monitoring our systems and responding to alerts. My role is to work with leaders in different operational areas to understand their roadmaps and influence their priorities to focus on. I give them direction, but I'm not micro managing their daily tasks.
On the architectural side, I collaborate with our product teams to make sure security is thought of right from the start with all our products and services. I don't run the architectural function, but everyone has to come through our team to validate they have met our security standards.
I also meet with our CEO Andy Stern, his direct reports and the senior management team regularly to let them know about potential risks that may be of concern in the future—and ways we can work together to mitigate those risks.
Q: Cyberattacks, ransomware and the Internet of Things continue to pose risks. What other things are keeping CSOs up at night?
This year, I'm also seeing vendor risk management become more of a challenging reality. I'm an advocate for businesses making that transformational shift towards a cloud infrastructure to reduce costs, and there are many cloud security benefits to take advantage of now.
When it comes to compliance, there are concerns over GDPR and how the requirements may drive business costs higher as new data protection controls are considered. Our Chief Compliance Officer has been way in front of this and has defined a roadmap for meeting those demands.
Lastly, the cyber security talent shortage continues. CSO's will increasingly need to rely on automation for protection while they find creative ways to fill the security professional gaps.
Q: How does a CSO keep on top of these issues?
As mentioned in our new ransomware paper, there is no single solution to prevent an attack. That's why you need to implement a defence-in-depth security approach, with multiple layers of proactive and reactive measures to help you prepare, detect and mitigate future attacks.
A CSO also needs reliable, close to real-time threat intelligence and should consider adaptive countermeasures, such as security behavioural analytics that show patterns and anomalies that indicate potential threats. Having sound patch management strategies and constantly educating your employees also goes a long way when it comes to prevention.
Most importantly, don't assume everything is in tact. Keep testing your resiliency and incident response plans and conduct frequent risk assessments.
Q: Any last words for other CSOs?
A CSO should always be in a learning mode and never too complacent with how they are protecting their company's data. I'm always going back and re-evaluating our security program to make sure it's practical from a business perspective.
Ultimately, as a CSO you need to ensure the security function is continuing to provide organisational value by helping the business be agile enough to introduce new products and services more quickly, but with the right security controls in place.