Tom Watson, VP-IT and Digital, Global CISO, Sealed Air Corporation
Corporate security has often been an afterthought in many industries. Although companies are quick to introduce new software applications, improve network architecture, and adopt cloud for storing data, security aspects of these technologies is put on the back burner. For example, many companies have adopted modern software development frameworks such as Agile/DevOps. A better approach should be on implementing DevSecOps wherein security is an important constituent in the entire scheme of things. DevSecOps takes a security-driven approach from the outset. Lack of focus on security is partially due to the shortage of skilled security individuals in the industry. The need to ramp up the talent pipeline—to focus on the growing importance of IT security—is slowly picking up pace and will hopefully be an essential forethought for business in the future.
Consider the insurance industry which currently relies on a reactive approach wherein clients buy insurance for tangible goods; however, we find ourselves in an ethereal position when it comes to IT security and the potential loss of data. This is demonstrable in the Wanna cry ransomware attack in May 2017, where a company reported potential loss of up to $300 million. The company then looks to an actuary that is required to stipulate a specific amount of money which could vary depending on the type of and amount of data that was compromised.
Personal Insights on IT Security and Governance Sector
48 of the 50 states in the U.S. have their own data privacy laws. It is essential to ensure that data security policies are developed and adhered to within a company. That said, it is crucial to ensure that these data privacy policies are aligned with global regulatory standards, essentially, satisfying compliance mandates. With the new General Data Protection Regulation (GDPR)—effective May 2018—many organizations are scrambling to meet compliance requirements.
Security needs to be a primary focus. It cannot be a mere afterthought rather it must go hand-in-hand with development and planning efforts
In the last year there has been no shortage of third-party companies that have introduced programs to aid these organizations. The key for any organization in this scenario is to map out a strategic plan on how to achieve the regulatory goals. With regards to global organizations, introducing impact assessments is critical in addition to identifying where sensitive data resides because obligations exist to protect personal information. Next is the exercise to map out data flows; whether those reside within systems on-premise or in the cloud.
Identifying the Right Partner
When we talk about security, there are several aspects that need to be taken into consideration; different organizations have varying levels of risk appetite. Consider the recent financial crisis, there were some banks that were very aggressive in nature and took on high risks with loans. Some were monetarily successful, while others didn’t factor in the risk element appropriately. This is applicable to the manufacturing sector as well. Smaller organizations do not necessarily possess the resources to routinely test and verify solutions, hence take risks. Building strong relationships with partners that have worked to institutionalize their processes is vital. Small organizations can learn from larger organizations that have more funding and have effective SDLC (Software Development Life Cycle) type processes.
Security needs to be a primary focus. It cannot be a mere after thought rather it must go hand-in-hand with development and planning efforts. We are fast approaching a tipping point in the IT Security solutions space where a consolidation of solutions is required. This scenario was experienced shortly after the .com downturn in the early 2000s. Organizations need to consider what solutions they have in place and balance their effectiveness versus the overall investment to prove true value.
Advice to Aspiring CISOs
Looking back at my career, that started more than 20 years ago, much of what we as an industry did was completely reactionary. We weren’t mindful of considering the repercussions for aggressive responses to security incidents that could be caused downstream. Security breaches were dealt with a very narrow focus and without thoughtful regard to risk. Today, however, threat detection and incident response is performed more attentively following a risk based approach. Therefore, I recommend thinking long-term and avoiding knee-jerk reactions. Be thoughtful when planning responses and delivering appropriate communications. Also, it is important to be risk-averse but sometimes there is a need to take a risk. In my career, I have had to take risks and I have often learned new things that helped me stay ahead of the game. Lastly it is extremely important to maintain a high-level of integrity throughout one’s journey, both in their personal life and professional career.