The Next Big Question


Episode 11
Hosted by: Drew Lazzara and Liz Ramey

Marc Varner

Corporate VP & Global Chief Information Security Officer

YUM! Brands

Prior to joining YUM!, Marc served as global CISO for McDonald’s and held senior security roles with Navigant and Discover. Marc prides himself on balancing security with the demands for growth and innovation.

How Can Security Keep Up with Innovation in a Company?


JANUARY 26, 2021

On this episode, Corporate VP and Global CISO Marc Varner of YUM! Brands joins the podcast to talk about how security can keep up with innovation in a company. Marc discusses how security leaders can embrace risk and help facilitate innovation. Learn why he says it's important to run to the enterprise security risks, instead of being defensive, on The Next Big Question.

/

Drew Lazzara (00:13):

Welcome to The Next Big Question, a weekly podcast with senior business leaders, sharing their vision for tomorrow, brought to you by Evanta, a Gartner company.

Liz Ramey (00:23):

Each episode features a conversation with C-suite executives about the future of their roles, organizations, and industries.

Drew Lazzara (00:32):

My name is Drew Lazzara.

Liz Ramey (00:33):

And I'm Liz Ramey. We're your co-hosts. So Drew, what's The Next Big Question?

Drew Lazzara (00:40):

Well, Liz, in this episode, we're asking, how can cybersecurity keep up with innovation in the enterprise? Helping us tackle this big question is Marc Varner, global chief information security officer for YUM! Brands. Marc has had an incredible career as a security leader, serving as global CISO for McDonald’s and holding senior roles with Navigant and Discover before joining YUM! Throughout this journey, Marc has always prided himself on balancing the need for security with the intense demands placed on the business. That balancing act is paying off now, as advances in digital capability and more nuanced utilization of customer data have created fertile ground for rapid innovation. And while Marc doesn’t see security as the drivers of innovation, it is his responsibility to keep pace with and enable it. In our conversation, Marc reflects on what innovation looks like today and what cybersecurity fundamentals are essential to facilitating business growth.

Before our conversation with Marc, we want to take a moment to thank you for listening. To make sure you don’t miss out on the next, Next Big Question, please subscribe to the show on Apple podcasts, Spotify, Stitcher, or wherever you listen. Rate and review the show, so we can continue to grow and improve. Thanks, and enjoy.

Drew Lazzara (02:05):

Marc Varner. Welcome to The Next Big Question. Thank you so much for being here.

Marc Varner (02:09):

Oh, you're welcome. Thank you for having me.

Liz Ramey (02:12):

Marc, we're very excited to have you here, not just because Drew and I have a consistent diet of Taco Bell and Pizza Hut, but…  because we have just really enjoyed having you be a part of the Evanta community. Before we really get into the question that is always at the top of your mind, we just want to get to know you a little bit more and ask you some more personal questions. Does that work?

Marc Varner (02:39):

Absolutely. Fire away.

Liz Ramey (02:42):

So, first question, what book, movie, or musician do you recommend most often?

Marc Varner (02:49):

Wow. So, a book would be any biography because I like learning from other people, and I think, by studying other people's lives, and things like that, it's real life, and you can take a lot away from that. The other book I always recommend to people is God Grew Tired of Us. And it's actually written about the lost boys, which was… when Somalia was undergoing civil war, and they were walking, literally an entire group of young men who had been estranged from their tribes, had to walk from one country to another. And it talks about their trials and tribulations. And so, when you think you've had a really bad day because the temperature wasn't right in your office or something like that, I think it just grounds everybody really well. And sometimes, you know how fortunate we are. And a movie, not to, because of the season, I would say this anyway, but Elf because how can you not like that movie? And probably from a musician perspective, I would say, I have a…

Drew Lazzara (03:57):

You know, people get mad at me, but I've ever seen that movie.

Marc Varner (03:59):

You're the second person in my life that has said that, and one worked for me. So, I actually forced it at one of our meetings one time. So, we probably need to force that at a meeting for you, because I can't believe you haven't watched that movie, but...

Drew Lazzara (04:13):

Yeah, I'm embarrassed. I'm embarrassed. Rightfully so.

Marc Varner (04:17):

Yeah. Should be. Musician? I have crazy music tastes. It kind of goes a broad spectrum, but if I had to go to after a day that I would want to listen to, it probably would be Keb' Mo'.

Liz Ramey (04:28):

Oh, cool. Well, perfect. Well, Marc, not to get too personal, but I would love to hear your journey about kind of the adversity and disappointment of being a Colts fan.

Marc Varner (04:43):

Well, so I'll tell you, the only advantage is that, growing up actually in Indiana, but very close to Chicago, the only other thing I could have been is a Bears fan. And so, the only thing more miserable than being a Colts fan is probably being a Bears fan. So, there is that. There is that advantage. It hasn't been so bad. You know, I was a little conflicted when it was the Bears and the Colts in the Super Bowl. Didn't turn out the Bears way. But, I actually follow as much a team as I do a player. And so, I instantly became a super big Colts fan when Peyton Manning went there because I love watching Peyton Manning play and just the way he carries himself. So yeah, I've suffered through that, but I think everybody's suffering through the NFL season this year. What a weird world. 

Drew Lazzara (05:33):

I'm just glad you're one of those people from Northern Indiana that had the courage to be a Colts fan and you didn't buckle under the pressure to be a Bears fan. That speaks highly of you, Marc.

Marc Varner (05:42):

Thank you.

Liz Ramey (05:45):

That's great, Mark. One more question I have for you -- what would you like to be known for?

Marc Varner (05:52):

Hm, I'd say loving what I do, and being effective at it, but loving who I do it with more. You know, I want to ensure that an environment that I created challenges people and made the organization safer because at the end of the day, that's what we get paid to do. But I'd like to be known that it was done via relationships that were kind of built on trust and in an environment that people enjoyed. I think, especially with us, like the legacy I'd like to leave is, this'll sound stupid, but fun. I mean, our job is really hard, and we answer to a lot of people, and it's a lot of pressure. And so, I think having fun and truly enjoying who you work with and the environment that I would have created as a leader would probably be important to me.

Liz Ramey (06:43):

That's great.

Drew Lazzara (06:44):

Marc, I really appreciate that. I think it's important to enjoy what we do since it takes so much of our energy. Like you said, it's a hard business to be a part of. So, appreciate that you think fun is one of those core values today. And I think the question we're here to ponder in this episode is actually a pretty fun one to think about. And we're here to talk about how security can keep up with innovation in a company or in a business. And before we dive into some of the specific things you're doing at YUM! to help facilitate innovation and keep up with that, I wanted to maybe step back and take a little more of a macro view at kind of information security, writ large. We've talked to a number of CISOs who talk about kind of a healthy tension between security and the business within their organizations. So, wanted to start with, from your point of view, as you look across InfoSec as an industry and as a profession, how would you characterize its relationship to the other core areas of the business?

Marc Varner (07:37):

I think it is creating that healthy tension. I think the trick or the magic in it is making sure that the healthy tension sort of balances both ends of the equation. And I think that that's what the modern CISO has been called to do perhaps more than in the past. In the past, many of us came up through engineering backgrounds, and we had this binary vision of the world that it was either secure or not secure. And I think that largely, as we move more to risk management, I still don't think that you stop being the guardian of the organization in that regard, but I think you become more effective, the better that you balance that with the needs of the organization. And the only way that you do that, and you become a better partner, is by understanding where it is that they're trying to go and ultimately what drives your business. But, at the end of the day, I don't think you lose sight of the fact that, I'm common to say that really I work for our shareholders and the board and our customers, and then my company -- probably in that order. So yeah, it puts you in the crosshairs sometimes, and you're not always saying popular things. But I guess that just kind of goes part and parcel with the job.

Drew Lazzara (08:55):

Marc, you've been a security professional for a very long time. As you've evolved in your career, has that point of view that you just articulated changed? And what were some of the things that sort of drove your evolution as you were kind of evolving as a security leader?

Marc Varner (09:09):

I don't know if it's changed as much as it's expanded. I think the nature of the beast, depending upon where you enter, I think it's, first of all, it's a natural maturation and as you move up the food chain and you take on bigger roles and you take on bigger responsibilities, part of that just kind of comes into play. If you're going to be successful at those other things, you sort of have to hone your skills in those other areas. Most of us that started on the technical side, yeah, it was a very binary world in those regards. And that's sort of what I got paid to do. As you started to move more into -- and one of the things I was fortunate is I got my start in risk management. We, like a lot of organizations, had operations and engineering, and we had a risk management group. And I had started in the risk management group. And to this day when we bring new people on, it's really where I want most people to start. And I think it's because it was a huge benefit to me because -- instead of when I migrated from just being normal IT over to specializing in security, I knew a lot of technical stuff. I think what being in the risk management group did for me, though, was it taught me the 'why' of what I was doing before I really delved into getting into blinking lights and worrying fans and firewall ports and things like that. And I think grounding in the why, and being able to explain that to a normal human -- and listen to them as to why they wanted to do something different -- was kind of an advantage that carried that maturation process further and faster than it probably would have had I not been directed down that road first.

Liz Ramey (10:53):

Marc, it seems like, kind of coming from that group has really helped in your understanding and growth within kind of business acumen, which I would say many security leaders kind of struggle with today. Would you agree? Or, is that something that is not necessarily important in your role?

Marc Varner (11:13):

I would agree. And I don't know if it's business acumen, although that's probably true because most of us, I always hate the term… Like I could tell you many organizations I've joined, and they're like, 'well, you need to understand the business.' Okay. Well, what does that mean? And what opportunity are you giving your security people to ‘understand the business?’ So, as much as the business says that, sometimes they're not so good at getting you involved to actually do that. Where you're just supposed to somehow absorb that. Whether you know the business or you don't, though, I think the one thing that you can develop and what it did develop in me is an empathy, more so even than an understanding. And really, the beginning of all knowledge is first, just empathy and being able to put yourself in someone else's place. And so whether you know the business or not, if you put yourself in someone else's position and understand that at the end of the day, they're under immense pressure to get a widget out… If you can first get into sort of their shoes and walk a mile, it helps you a lot more in being able to then explain to them also your portion of that. And you get a lot more credibility, and you start to build some of the relationships that you need in order to have some of those tougher conversations, if you hope to influence them so that they also see the other side of the argument, so to speak. I hate to use that term, but sometimes that's the reality.

Drew Lazzara (12:38):

Marc, I appreciate that context. I think it gives us a pretty good window into how we'll frame the rest of this conversation. And I'd like to dive a little bit more into the specifics of your role with YUM! thinking about innovation. It seems as if generally the business has a greater appetite for technological innovation. We've talked to a lot of CIOs that say, all of a sudden over the last several years, the business is coming to me to help solve problems through technology. And I think that maybe that puts security people in a little bit of a tough position, because I would imagine that quote unquote ‘innovation’ can go in a lot of different directions and can be driven by a lot of different parts of the business. So, when you're thinking about security's role in innovation, how do you define that at YUM!? Where do you see yourself in the innovation life cycle as a CISO?

Marc Varner (13:23):

Well, hopefully, as in front of it as possible is the simple answer to that. And I do think that we are. But I think that there's some basic principles that you have to first just sort of sit down and take the medicine and accept. You know, I've often said -- it's important to run to the risk. And I think by embracing the risk, as opposed to just, it mentally prepares you for the shift in what innovation requires of you is no longer to position yourself as the defensive situation, and say, well, how can't we do this? Or, what are the millions of toll booths and roadblocks we're going to have to put in place to do this. Rather, embracing it from a risk perspective, looking at it with an open mind, and then sort of backwards engineering your way into, well, what do the control mechanisms need to be to do this safely? And all of those other things. As I'm fond of saying, if you're going to build a bomb, here's the safe way to build a bomb. Sure, it's dangerous. And you're creating something that's built to explode, so you have to do it carefully. But obviously, there's a right way to do it. And, so I think it's -- that's sort of a crude analogy, but that's really what we kind of have to do. And by embracing, first of all, its danger, and hey, there are things out there, and there's risks that lurks. It doesn't mean that you can't do it. It just means that there are certain controls and mechanisms and processes that you have to take in place. So for me, I think that's how you embrace innovation better and show yourself as a change agent to the organization, as opposed to, I think, what we simply used to be looked at or viewed as the department of no, so to speak, and telling people what they can't do.

Liz Ramey (15:15):

You alluded to a little bit, Marc, about kind of perspective, right? That's the perspective of you and your security team, right? It's almost like this perspective of -- you’re the horse leading the chariot, as opposed to the perspective of maybe some units within the business find security as the wall that the horse is going to have to jump over. Talk to us a little bit about how you break down those thoughts that maybe some business units have -- the perspective that security isn't there to just help support them, but is there to kind of block them from doing the things that they want.

Marc Varner (15:59):

That's a great question. I think you can have the right attitude. And I think that certainly leadership casts a shadow in every conversation that it has. And also, there's a downward effect that everyone in your organization needs to ooze that feeling as well. One of the best things that you can do to illustrate that that's sort of where you're coming from is have a good process that facilitates that to the business. If you look clunky, and they have to come in and they have to talk to a million people, and they have to refill out paperwork, and countless meetings and all those other things, whether you know it or not, you're sending a signal to the business that you're not really prepared to listen. And, that's not in the DNA of your organization to be able to take things like that in, at their abstract, and then figure them out. What you're waiting for is people to read your 76 standards that are sitting out on your website, which everyone is I'm sure just compelled to go out and read, and then come in and tell you what they can and cannot adhere to. And that's just not the realism of the modern organization. These are abstract thinkers. They come in with concepts and ideas. The more efficient you are at doing that, the more inviting it is to bring, for them to come to you for that type of help, frankly, and consulting. And then, you become a partner as opposed to this department that we have to go through and get approval from.

Drew Lazzara (17:29):

Yeah, it's interesting when you frame it that way. We've had a lot of conversations with CISOs about whether or not it's possible for security to be kind of a business driver. And I think maybe for better or worse, the consensus is maybe that's not entirely possible in the sense that you're not creating a new product, but if you're taking that point of view that you just outlined, you are an essential part of someone else getting their idea off the ground. And if you can convince the organization to look at you that way, then you are just another -- you're another part of success. And so again, I think that is a lot about driving mindset. So, what are some things you do within your organization to actively foster that perception? What can you do to be an advocate for innovation in a more positive way, as opposed to that kind of confrontational way? Are there specific tactics that you've seen be very successful for you?

Marc Varner (18:20):

Yeah. I think what you just said is spot on, and really, it's -- the way I capture that is that I really look at our role as being the facilitator. I don't think that we're ever going to be a business driver, although there are those rare occasions, like how well we handle customer data or how efficient we make that. And if we're actually building architectures that people can plug into faster and easier, and that enables the business or our developers to have one less thing to worry about, really, we are kind of being a business driver. So, there is an element of that, but I think that's shooting pretty far. I'd be happy with just simply being a facilitator and not being viewed as a blocker.

How you get your organization to that is, I think, first of all, just setting up that sort of attitude of being that of a facilitator. And then again, making those things that you know they're going to have to go through in order to innovate easier. One way I would think of that is so -- innovation would be, it's not always just your new product or widget that your company's putting out -- sometimes it's new methodologies. So, if you think of how everything shifted to agile development immediately. Well, SDLC and where security played was really, really easy because there was this nice waterfall: check one, check two, pre-prod, prod, and you had all these things along the way and change has happened. You measured them on a calendar. Today, we measure them on a watch. Well, security tools are not, you know, weren't necessarily created that way. 

So, instead of throwing my hands in the air and telling my agile groups that, well, you can't do that because frankly, the business is demanding it. What we've done is, okay, well, what tools do we need to adapt? And what processes do we need to put in place proactively to go to them and say, we need to behave differently so that we can support your innovation cycle. Now, sometimes it's hard or it costs more -- which is the thing that some people don't like -- is, you know, well, if you want to do agile and we can't do that neat testing anymore, you're going to need to go spend money to do a real-time code scanner. So, that as that stuff is coming in, there's some checks and balances, and things that are reviewed, and that's going to cost money. But it's like anything else in business is that -- is it an investment or an expenditure? And if it's making you go faster, and it's facilitating something that you want to do, generally speaking, if you speak to them in terms like that, and they see you as supporting the innovation, they get that there may be a cost of doing business with that. Rather than just coming in and saying, you guys are crazy. You can't do this. And either, you know, you have two options: you can't develop that way, or you have to develop it this way, and it has to be by our rules. So, I think our willingness to adapt to their needs is really kind of where we support innovation in the organization.

Drew Lazzara (21:12):

In that life cycle that you just described, Marc, where does the cost of security get accounted for? Is it in the P & L of the business unit who's bringing the innovation to the table? Is there a way to kind of fold that cost into the whole process so that ROI is already accounting for security? How does that work in practice?

Marc Varner (21:30):

Right, boy, there should be. I think, so if you're asking most security practitioners’ perfect worldview, the answer to your question is -- yes. But I think in most organizations, the answer is no because those tools, quotey fingers in the air, are traditionally felt as being owned by security; therefore, sort of like whoever owns and dictates, then somehow magically has the budget. 

Now, there's good and bad in that because then that does give you an opportunity to centralize the tooling and the processes and things like that, which does make the organization more efficient. The other side of that is – yes, ideally you can pass that all the way to the business unit and say, well, you guys have to pay for this if this is what you're going to do. Now, the danger that lurks in there is that by doing that, one, it becomes inefficient because you have a whole bunch pop-up innovation spots where you'll wake up one day and find out that you've got 47 things doing the exact same functionality because you made them all go out and sponsor it and buy it on their own.

It also just, it becomes the methodology and the process also becomes important as well because you'll also have very disparate processes. And I think most of us would agree in the security world that when things break down, they generally don't break down because of the technology. We get in these big, long arguments, and everybody has their religious battles about what technology does what better. You know, frankly, in my opinion, and after being in this business for a lot of years, 20 or so years, is that it's generally not the technology that breaks down. It's somewhere in the operational side where a thing wasn't being updated correctly, or somebody wasn't looking at the right pane of glass the correct way, the tool. Yeah, you can get a slightly better tool, but the degree of greatness varies maybe 5 to 10% by the feature set. 

Where these things generally fail is how well and with what consistency they're being applied across the organization. And that's where I think if you put all that in the business units sort of budget or wherewithal to take care of, your mileage may vary. I think the right hybrid of that is they trust you to come up with those tools and bring some standardization to that. But you're still drawing some of the -- you're drawing the funding from the business so that it almost becomes an allocated model and that brings about fairness and sort of understanding of what is the true cost of security. 

I think the other complexity of that that I would add is where a lot of organizations could make bounds of improvement is when -- what I have seen in my experience -- is that when many of these new innovations come out, there is no placeholder for security costs within those. So, people are very good at figuring out development costs and outsourcing, and what's the coding going to cost and the hosting and all of those other things. There's generally speaking, not a placeholder there, and nobody knows what that figure is until they get a little further down, but that's where security then gets to be seen as a bolt on because unfortunately that ship is already offshore. Then, they bring security in, and now you look like an added cost where really it should have just been built in from the front end. And that's where I think organizations probably really need to mature in the innovation pipeline.

Liz Ramey (25:13):

That's so interesting. And actually, it brings me to my question that I've had here, and that is, looking at that pipeline or looking at the overall life cycle all the way from ideation to execution. There is a health, like you said, there's a healthy tension between security and the business or security and innovation. At what point in that cycle are you stepping in and working with the innovative teams, right? So, if I were looking at innovation, and many companies look at it of course in different ways, but I personally don't want guardrails. I don't want limitations on the first kind of go around of ideation. But sometimes others find it important to know what those limitations are when they're looking for opportunities. So, where do you at YUM! see security coming in during that lifecycle to make sure that innovations are going to come out in a kind of really value-driven way?

Marc Varner (26:20):

My answer would be – I think the right balance there to make both of those things work is that you probably have multiple streams of innovation. So, for me, I think the way to practically do that, because I totally get what you're saying. There are people that are thinkers that they're out there, and the minute you start putting guardrails and limitations in there, then that instantly starts curtailing their creativity, which is bad. You don't want to do that. Now, but there are also certain things out there where, you know, that's why you haven't opened the want ads lately and said, ‘Wanted: Philosopher.’ You also can't have somebody out there just pontificating how something could be cool, and it's the most impractical thing in the world, because that's a waste of the company's resources, as well. There's a balance somewhere in the middle.

So, I think what we do is we encourage our development groups to be creative and to think out of the box, but those engineering staffs and those folks already kind of know that we have these standards and these guidelines. So, it's not like you can just go crazy and color outside the lines completely. And that's, I think that's one level of innovation. Like -- how can we make this cooler, faster, stronger, better, but not break everything in regards to doing it.

Then, what we have is a dedicated innovation sort of segment of our business. It's funded differently. It's led differently, and it is its entire focus. And they are truly meant to be sitting there thinking about the crazy and the abstract. It's sort of like when you're doing risk management, and you think of all your risks, and then you think of the Black Swan, which by definition, you shouldn't be able to think of the Black Swan. That's why it's a Black Swan. That's, to me, why we look at these things where you're saying, okay, your job, you're paid to drive me crazy. Like think of crazy, stupid things that I'm going to come in and go, 'Are you nuts? You can't do that.' As long as those things are contained, and there's sort of a different sandbox for those, I think that that's probably the best of both worlds. Because if you do the other, like I said, you can't have everybody running around because I can't be resourced that way to go to every one of those meetings and have somebody figure it out. That's why we write standards, and we do things like that so that people can be efficient with how they bring new things to the table. But you do need sort of those really out-there thinkers, and you have to allow them space to be able to do that, or the creativity doesn't occur.

Liz Ramey (28:55):

Right. Yeah, agreed.

Drew Lazzara (28:58):

Marc, in this conversation and especially what you were just discussing were really about foundational pieces that once you've got those in place in your security organization, that actually gives you a lot more flexibility as a business to do some of these innovative and interesting, creative things. I want to think through that lens a little bit about what the future might look like. So, assuming you're able to establish that ideal foundation in your organization, how do you project security's role moving forward? What would you say would be an ideal state for the role of the CISO relative to innovation in the next five or 10 years? Is there another evolution that you anticipate, or give us a picture of what the future might look like for budding security leaders?

Marc Varner (29:37):

I think it's more evolution than revolution. We find ourselves, and as long as we remain flexible and open, we can sort of navigate our way through that, and frankly, just find out how we can become more of an advocate or an innovation advocate, as I would say, in the business. I don't know that there's a crystal ball that we know frankly what that's going to mean. I think that that's part of the challenge as well as the coolness, for lack of a better term, of where we are positionally. 

It's a weird time for, I think, the CISO position, in general, because we're sort of, as far as C-positions go, we're kind of the new people on the block in regards to what we perform for the business. So, I think one of the really challenging things is, if you ask what a CISO does, you can get wide, great variances of what that expectation is and things like that. I mean, in most companies you go and say, what's your CFO do? It's a pretty clear picture of what the CFO does and is responsible for, and that's what's been going on for a hundred years. 

Ours is different, it's weird, and it changes. I think ours is going to change in being more of a facilitator of those things. And I guess if I were to say anything, it would just be that our openness to that, and sort of willingness to facilitate those things is probably going to increase. I don't think it's ever going to go away with the fact that you do still have to sort of be that last guardian on the wall, that's willing to have the uncomfortable conversation. I think that's where it would become a danger for me, and my personal view is that if we get so far to the other side, that we're being so flexible -- and I think there is such a thing as too chummy with the business -- because sometimes you do have to be that inconvenient, silent, or quiet voice in somebody's ear, and sort of the conscience of the organization. So, I think balancing those two things out is just going to continue to be hard, but companies are still going to really have the need to innovate at paces that we haven't really seen before. So, it's going to be an evolution of really how people look at that and how they're viewed in the organization.

Liz Ramey (32:01):

Marc, you talked about being a quiet voice in somebody's ear about the security implications that may happen with certain new business technologies and such that they're implementing. What I'm curious about, from your standpoint as a CISO, what sort of disruptive technologies scare you a little bit that are happening right now?

Marc Varner (32:28):

Oh, that one's easy. Um… probably other than just developers, in general? Just kidding. Developers, I love you.

Drew Lazzara (32:40):

They don't listen, Marc.

Marc Varner (32:42):

Oh man. You said a mouthful there. I think IOT would probably be on, probably my short list. As the advent of smart equipment takes place, and that starts to expand, it's really cool, and it's innovative. We can do a lot of stuff, and we can be, you know, dark kitchens and because quickly we are becoming a technology company that produces food. There's so much technology that has raised either in the restaurant or how we go about doing our business. IOT, like the more it's great, you can make your things smarter, which they're faster and automation and all these other things. The fact of the matter is, though, is it's a note on the internet now. And it's something that can then be manipulated. And so, and with the numbers of widgets that we have, think about the devices that we have in a restaurant that could be that could be made ‘smart,’ whatever that means – a fryer or refrigerator or freezer or a cooler – food safety increases. However, you also have the risk that that can then be manipulated. So, the risk there, and just surely, when you have 50,000 restaurants, and if 25 of your devices became smart devices, you can do the math. That's a whole lot more end points that are very critical to your organization, because at the end of the day, that's the tip of the spear that kind of really runs your business and operates things. So, I think, IOT for us would probably be up there.

The other one would just be speed to development of our commerce platform. So, where a lot of organizations, a few years ago were sort of dipping their toe in the e-commerce pool. For us, enter COVID, we have markets that e-commerce went from being a sales channel and niche and cute to being the sales channel overnight. Like – having an e-commerce platform and being able to function digitally was tantamount to having an open or closed sign in your window. And it meant the difference between your business surviving or not surviving. 

So, as we both know, speed and security are not necessarily good bedfellows. And so, when you start going fast and you have to do things quickly, you sort of – you take measures that are trying to support the business, but at the same time, are very hard to control because for us just scale and speed. And I think that turn in e-commerce and really digital, which I love that term because who in the world knows what it means. It means a lot of things for a lot of people, but when we think of digital, that's kind of our entire digital platform, which would be customer loyalty and coupon and in the e-commerce engine and e-payment and all of those things. That's a big bucket of things. The pace with which we're operating in that world, and I don't think that that's just us in the restaurant business or YUM! or anything, I think that that's most organizations, I think the pace is really also one of those things that folks are really going to begin to struggle with.

Drew Lazzara (36:07):

I like closing out there, Marc, because it was started off with a little bit of scariness that is maybe typical of the CISO profession, but it ended with the idea that you're not going to stop that speed, but maybe it aligns with the evolution of the leader that we've been talking about today. So, I think that gives us a lot of opportunity for security professionals to grow and continue to evolve, to meet those needs. And it's a pretty daunting challenge, but it sounds like you're up for it. So, I appreciate your reflections there. Before we let you go, we do like to close out every episode with two questions about the future. And the first comes from our previous guest, and their big question for you actually requires a little bit of context. We were speaking with Kelly Ann Doherty, who is the Chief People Officer for Mr. Cooper. And we got to talking about how, in her point of view, she sees employees as asking increasingly more and more from their employers in terms of support, more difficult personal conversations. And that's only been accelerated through this odd year of remote work that we've all been going through. And so, her question for you was -- if you extrapolate that idea, that leaders in companies are taking greater responsibility for their employees, where do you see that ending? What do you see as the role of companies or corporations or C-suite leaders in governance either at a local or a federal level?

Marc Varner (37:25):

From governance, do you mean of their participation in the company, or can you speak a little more about what you mean by governance?

Drew Lazzara (37:36):

I use that term too loosely. I forgot that we were talking to security and technology leaders. So, in this sense, I think Kelly Ann was talking really about the role of private industry in government, in actually how cities or communities or countries are governed. And again, I think she was coming from the point of view that leaders are taking on greater responsibilities and things that fall outside of business, anyway. And I think she was wondering where someone like you thought that that ends.

Marc Varner (38:04):

You know, YUM! is very, very dedicated to a lot of sort of greater good or things outside of our realm that you would traditionally think of, is it just our job to deliver food, or is it our job to do that in a socially and agriculturally responsible way. And how do we go about doing our business, such that we're kind of balancing all those things? I think from our perspective and my perspective, I would say it definitely is something that we are going to be required to, and we should take a bigger role, because at the end of the day, an organization makes a lot of different things, and we're all for profit and all those other things. But really at its root, organizations are made up of people. And if we lose sight of that, whether we're being served by them, their customers, or they’re employees, or we're serving them, however that relationship works, at the end of the day, it is a network of humans. And so, if we lose sight of that… And I don't know that ‘governance’ would be right, I think that – but you can certainly be a leader. You can certainly set a tone. And you can certainly set an example with what you do and how you treat people and how you look at your footprint in the world. And it's kind of an overused term of ‘social responsibility.’ I just – it's simply kind of doing the right thing and thinking bigger and beyond yourself and just simply the bottom line. So, I do think that we have a very big responsibility to it. And at the end of the day, I think it has a great business – the sidebar is it does have a good business benefit. I don't think that it's hurting people's businesses to do that, to think larger than they normally would.

Liz Ramey (39:45):

Perfect. Marc, it's been such a pleasure talking to you, and our last question is really going to be for you to pose to our next executive. And so this is – could be across the C-suite. So, whatever is on your mind, what would be your next big question for the C-suite? What are you thinking about?

Marc Varner (40:07):

Um, you know what, because I guess no matter which ‘C’ you talk to, my question would be, and this is always my burning question, how do you view us? Security, CISOs, whatever you want to call us. And, how do you think we can better facilitate and be a service to your organization? Whatever particular vertical that ‘C’ person happens to be over.

Liz Ramey (40:38):

That's great. I'll answer that for them. You’re their developers. Just kidding.

Marc Varner (40:44):

Yeah, yeah, exactly. Oh God. What a scary thought.

Drew Lazzara (40:52):

Well, Marc, thank you so much for being on The Next Big Question. Really appreciate the conversation. Always great to speak with you. I think your big question's going to be very thought provoking for our next lucky or unlucky C-suite guest on the show. So, thank you so much for your time and reflections today. We really appreciate it.

Marc Varner (41:08):

You're very welcome. Thanks for having me.

Liz Ramey (41:12):

Thank you, again, for listening to The Next Big Question. If you enjoyed this episode, please subscribe to the show on Apple podcasts, Spotify, Stitcher, or wherever you listen. Rate and review the show so that we can continue to grow and improve. You can also visit Evanta.com to explore more content and learn about how your peers are tackling questions and challenges every day. Connect, learn, and grow with Evanta, a Gartner company.