How are “next generation” CISOs approaching upskilling their team?
Sr. Director Third Party Risk Management in Healthcare and Biotech, 10,001+ employees
The level of discussion and accountability as a senior director is a bit transformational. I can only imagine that at the C-level or CISO level it’s even more profound. Reorganization and centralization helped our team. Previously, we had a very bifurcated company where all the lines of businesses had a different CIO. And it was only about two and a half years ago that they centralized under a single CIO. Then you had to look at the different tools in the various lines of business to determine if they are actually commensurate to each other, providing the same level of coverage and protection that we need from an enterprise, or even meeting expectations. When we spoke to different team members, their benchmark or their goals were different. It was eye-opening and highlighted potentially a false sense of security; we were measuring towards different goalposts. Then we had to determine: “How do we drive a shared understanding of what the expectations are that align with our business risk?” And, from there we could march forward. Now there has been an increased focus on operational technology, especially with COVID-19 and vaccines. So understanding the metrics around our coverage or risk factors as it relates to our distribution centers is important for our team. Do we have the appropriate controls in place to mitigate against those emerging attack vectors or threats, and then likewise, compliance with the Center for Disease Control and other government regulatory contracts.Director of Information Security, 10,001+ employees
I think some of the concerns that we're grappling with now is making sure people are working on the right things and trying to retain all those folks without burning people out. We've been really focusing a lot on prioritization and it seems to help for a bit, but then everything is important again. We keep going back to that same old logic of, okay, is that really above the line or below the line? It just feels that line's always changing. We pulled together our shared services groups (digital, cyber and infrastructure) because in all three groups, to do anything we need buy-in from the other teams. Now we have a shared strategy across all three groups. We prioritize together and it's actually worked out really well. We've got another two year strategy in place. Now we're trying to get the rest of the different IS groups to understand, your fire doesn't become our priority. I think it's about trying to get a common understanding for what it means to those groups that go across the whole company that support technology. Getting them on board and making sure that we have shared priorities or at least go through some type of central prioritization process.VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
That's fantastic. To get a common goal, common vision across those IT teams.
Director of Information Security, 10,001+ employees
It was really the groundswell of effort that now has both bottom-up and top-down.
Content you might like
Yes30%
It’s being considered40%
No24%
Don't know5%
177 PARTICIPANTS
100%13%
Greater than 50%54%
50%14%
Less than 50%14%
0%3%
662 PARTICIPANTS
Follow up to my previous travel question… What is your favorite place to travel to for work and why?
Director of Systems Operations in Healthcare and Biotech, 10,001+ employees
By far the best place for me to travel was Shanghai. Loved the city and the vibe. Singapore is also an amazing place to have to be stationed for work.CIO / Managing Partner in Manufacturing, 2 - 10 employees
Firstly, buy-in from the executive team that it is needed - so change management on the need for change management :-)Next, the right people - those that can really bring the need for change management to life, it's ...read more
One of the things that we're continuing to do is a cyber cup. So that's one of our training opportunities, where we opened it up to the organization and have gamified exercises. To say, “okay, here's some little tests or things, can you exploit a particular server?” And that gives an opportunity to the developers to understand, wow, if I didn't put this into my code, this is how a threat hacker could exploit it and how easily it can be done. And then for those that rise to the top, we find out this person actually has good skill sets that could be translatable to the security world. And we've actually hired some of those developers into the application security realm, and they are now in our camp.