Alex Bermudez
VP & CISO
Panasonic Corporation of North America
Communicating and executing on cybersecurity strategies that align with business priorities and risk appetite while minimizing cybersecurity risk are fundamental responsibilities of the CISO role. The challenge for many CISOs in translating cybersecurity nomenclature into information that resonates with business stakeholders is that the information isn’t always easily digestible for those outside of the field, and a CISO must ensure stakeholders from the business understand the importance and strategy of their work.
Alex Bermudez, CISO for Panasonic Corporation of North America, understands that in order to gain buy-in from executive leadership teams and continuously improve their risk management program, they need to start simple: with a common vernacular, a baseline risk nomenclature.
“We've established a risk nomenclature, a framework for us to reference, so when we refer to a threat and what a threat means, or about vulnerabilities, there's a common understanding within,” said Bermudez. “We use a common definition for threat, vulnerability, business impact, probability, et cetera, along with empirically backed risk analysis to describe risks faced by the business. It helps bridge understanding, so that when we’re having these discussions with our business stakeholders, it is more easily understood.”
While understanding the threat landscape, communicating vulnerability, and mitigating cyber risk do not require reinventing the wheel – they do require effective communication and alignment with business objectives.
Top-Down Buy-In
Bermudez’s current position at the parent company of Panasonic is fairly new, and he had been in the aviation business unit previously. The creation of his role is reflective of a commitment to the importance of cybersecurity and data protection for the business.
“As I've moved over from a business unit to headquarters, I'm now responsible for a broader set of issues in the region. The role oversees multiple business units now, and one of the things that we're focused on is regionalization of our security operation center,” said Bermudez.
“We've partnered with our business unit that carried some expertise and we had some of that expertise centrally, as well, and so we're really excited about being able to provide a centralized incident and monitoring service.”
By consolidating SOCs and forming a centralized, regional cyber incident response team, they’ve been able to enhance their 24-by-7 coverage while finding synergies across their regional SOCs in the EU and APAC. “Driving our SOC regionalization initiative from the top-down and implementing SOC monitoring use cases tied to business drivers strengthens our ability to defend against threats,” he said.
“Maturing a critical process like a regional SOC is easier when it has support from the leaders accountable for the profit and loss of the lines of business. Their continuous support for the program and their understanding of the cyber risk management issues facing the regional enterprise informs the security leadership team and can bring awareness at all levels of the organization. This is an educational component I have to be focused on and help them understand.”
Effective Communication
According to Bermudez, communicating effectively with the executive team has to include a solid set of meaningful and relevant metrics. Painting a picture of how the cyber risk management programs are performing using an ISO27001 or NIST CSF framework, measuring how the organization is managing the cyber risk using a CMMI scale, and clearly communicating program goals that align to business objectives, is critical to their success.
“Our cyber risk management goals are aligned to the overall business strategy and executive board level leaders influence the direction of our programs. There are several regional executive steering committees where cyber security is a recurring agenda item, so it's very reflective and aligned with their intention and mission,” said Bermudez.
Their risk appetite is balanced, they understand the importance of security.”
“They are in tune with the high priorities and what kinds of threats and vulnerabilities can affect our lines of business and the types of material impact these issues can have, which in turn shapes the priorities of the program,” said Bermudez.
“It's important to ensure that you're communicating often, you're transparent with your work, and that you're aligning your initiatives with existing business process and future objectives; this ensures security is focusing its resources on identifying and mitigating against threats (and open vulnerabilities) that can do the most economic and reputational harm. It’s a process of continuous improvement,” he said.
Embedded Security
Organizations that experience the most success with their cyber and information security programs embed themselves in existing organizational processes, i.e. change management, software development, supplier/vendor management. For example, when assessing supply chain risk, Bermudez and his team partnered with the supply chain procurement team to integrate cyber risk assessment processes that work in tandem with vendor onboarding; in turn, this has helped streamline their actions and provided visibility without significant bureaucracy and overhead.
“It's aligning to existing processes that are already well established, and ensuring security is part of that as well; by not reinventing the wheel, things are easier to assimilate. We also treat our security program as a set of programs. Everything from incident response to security awareness to application security, to supply chain is driven by a clear policy mandate, a supporting standard, and a corresponding risk assessment requirement,” said Bermudez.
By defining a standard set of key performance indicators (KPIs), they are able to speak to the executives about the efficacy of each of their cyber risk management areas in a way business leaders can relate with.
For most CISOs, identifying, evaluating, communicating, and driving cyber risk mitigation is an ongoing endeavor. Whether an identified risk is highly technical or fairly straightforward and easily understood, learning to deliver your message is an ongoing process of refinement.
“Being able to communicate with stakeholders with different areas of subject matter expertise is a critical success factor for any CISO working to secure their business, obtain program buy-in, establish trust, and build partnership to achieve objectives,” said Bermudez.
Special thanks to Alex Bermudez and Panasonic Corporation of North America.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.