FEBRUARY 9, 2021
Each week on the Next Big Question podcast, we interview C-level executives and thought leaders about a big, timely business question. This week, Liz Ramey and I are talking to Global CISO Marc Varner of YUM! Brands and asking how cybersecurity can keep up with innovation in an enterprise.
Marc has had an incredible career as an information security leader, serving as global CISO for McDonald’s and holding senior roles with Navigant and Discover before joining YUM! Throughout his career, Marc has always focused on balancing the need for security with the intense demands placed on the business. That balancing act is paying off now, as advances in digital capability and utilization of customer data have created fertile ground for rapid innovation and information-technology growth.
Marc discusses how security can be a facilitator, not a blocker, of innovation.
I think it is creating a healthy tension -- and making sure that the healthy tension sort of balances both ends of the equation. And I think that's what the modern CISO has been called to do perhaps more than in the past.”
Drew Lazzara:
Marc, it seems as if generally businesses today have a greater appetite for business technologies and innovation. We've talked to a lot of CIOs in the last few years that say, “Business leaders are coming to me to help solve problems through technology.” And I’m wondering if maybe that puts security people in a little bit of a tough position because that ‘innovation’ can go in a lot of different directions and can be driven by a lot of different parts of the business. So, when you're thinking about the role of security in innovation, how do you define that at YUM! Brands? Where do you see yourself in the innovation life cycle as a CISO?
Marc Varner:
Well, hopefully, as in front of it as possible is the simple answer to that. And, I do think that we are. But I think that there are some basic principles that you have to first sit down, take the medicine and accept. I've often said -- it's important to run to the risk. And I think by embracing the risk, it mentally prepares you for the shift in what innovation requires of you. It is no longer to position yourself on the defensive, and say, well, how can't we do this? Or, what are the millions of toll booths and roadblocks we're going to have to put in place to do this?
Rather, embracing it from an enterprise security risk perspective, looking at it with an open mind, and then sort of backwards engineering your way into -- well, what do the control mechanisms need to be to do this safely?
As I'm fond of saying, if you're going to build a bomb, here's the safe way to build a bomb. Sure, it's dangerous. And you're creating something that's built to explode, so you have to do it carefully. But obviously, there's a right way to do it.
And, so I think it's -- that's sort of a crude analogy -- but that's really what we have to do, embracing its danger and that there are risks that lurk. It doesn't mean that you can't do it. It just means that there are certain controls and mechanisms and processes that you have to have in place.
So for me, I think that's how you embrace innovation better and show yourself as a change agent to the organization. As opposed to what security leaders simply used to be looked at as ‘the department of no,’ so to speak, and telling people what they can't do.
Listen to the full episode of The Next Big Question featuring Marc Varner from Evanta, a Gartner Company here, or on Apple Podcasts, Spotify, or your favorite podcast app.
by CISOs, for CISOs
Find your local community and explore the benefits of becoming a member.