How are “next generation” CISOs approaching upskilling their team?

306 views1 Upvote6 Comments

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
I think what I'm driving for as we look at 2021, is really well articulated training programs to advance the skillset. So our security engineers think like developers, and then they test hackers. And I think a combination of those two skillsets is the right combination, especially in relation to what the threat landscape is doing right now. We do a lot of advanced computing in the cloud and in containers. I've shifted our whole cyber focus, including our tabletop exercises. We do code resilience testing, to make sure that our products are stable. There's also a mindset shift that has to happen around the traditional way of doing security, to view it as a service. A service has to understand what that client, especially our developers and our engineers, needs. Evolving that thought process with your teams ensures the service fits what your internal customers are doing. Years ago, we were working on rightsizing the number of procedures we had, and actually making it more nimble for the developers and engineers. We've spent a lot of time automating the standards, so instead of the security policy sitting outside of the system, we've actually taken the requirements and embedded it in code.
1 Reply
Sr. Director Third Party Risk Management in Healthcare and Biotech, 10,001+ employees

One of the things that we're continuing to do is a cyber cup. So that's one of our training opportunities, where we opened it up to the organization and have gamified exercises. To say, “okay, here's some little tests or things, can you exploit a particular server?” And that gives an opportunity to the developers to understand, wow, if I didn't put this into my code, this is how a threat hacker could exploit it and how easily it can be done. And then for those that rise to the top, we find out this person actually has good skill sets that could be translatable to the security world. And we've actually hired some of those developers into the application security realm, and they are now in our camp.

Sr. Director Third Party Risk Management in Healthcare and Biotech, 10,001+ employees
The level of discussion and accountability as a senior director is a bit transformational. I can only imagine that at the C-level or CISO level it’s even more profound. Reorganization and centralization helped our team. Previously, we had a very bifurcated company where all the lines of businesses had a different CIO. And it was only about two and a half years ago that they centralized under a single CIO. Then you had to look at the different tools in the various lines of business to determine if they are actually commensurate to each other, providing the same level of coverage and protection that we need from an enterprise, or even meeting expectations. When we spoke to different team members, their benchmark or their goals were different. It was eye-opening and highlighted potentially a false sense of security; we were measuring towards different goalposts. Then we had to determine: “How do we drive a shared understanding of what the expectations are that align with our business risk?” And, from there we could march forward. Now there has been an increased focus on operational technology, especially with COVID-19 and vaccines. So understanding the metrics around our coverage or risk factors as it relates to our distribution centers is important for our team. Do we have the appropriate controls in place to mitigate against those emerging attack vectors or threats, and then likewise, compliance with the Center for Disease Control and other government regulatory contracts.
Director of Information Security, 10,001+ employees
I think some of the concerns that we're grappling with now is making sure people are working on the right things and trying to retain all those folks without burning people out. We've been really focusing a lot on prioritization and it seems to help for a bit, but then everything is important again. We keep going back to that same old logic of, okay, is that really above the line or below the line? It just feels that line's always changing. We pulled together our shared services groups (digital, cyber and infrastructure) because in all three groups, to do anything we need buy-in from the other teams. Now we have a shared strategy across all three groups. We prioritize together and it's actually worked out really well. We've got another two year strategy in place. Now we're trying to get the rest of the different IS groups to understand, your fire doesn't become our priority. I think it's about trying to get a common understanding for what it means to those groups that go across the whole company that support technology. Getting them on board and making sure that we have shared priorities or at least go through some type of central prioritization process.
1 2 Replies
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

That's fantastic. To get a common goal, common vision across those IT teams.

Director of Information Security, 10,001+ employees

It was really the groundswell of effort that now has both bottom-up and top-down.

Content you might like


It’s being considered40%


Don't know5%




Greater than 50%54%


Less than 50%14%




Director of Systems Operations in Healthcare and Biotech, 10,001+ employees
By far the best place for me to travel was Shanghai. Loved the city and the vibe. Singapore is also an amazing place to have to be stationed for work.
Read More Comments
2.4k views2 Upvotes2 Comments