Sara Engstrom
CISO & VP of IT Security, Productivity and Privacy
CHS
CHS Inc. is a leading global agribusiness owned by farmers, ranchers and cooperatives across the United States that is diversified in energy, agronomy, grains and foods.
Beth Singer
Data Protection Manager
CHS
CHS Inc. is a leading global agribusiness owned by farmers, ranchers and cooperatives across the United States that is diversified in energy, agronomy, grains and foods.
David Lipscomb
Director, IT Security and Compliance
ASM Global
ASM Global is a venue & event management company based in LA, specializing in managing stadiums, convention centers, theaters, and unique venues.
Michael Mongold
Sr. Director, Information Security & Chief Information Security Officer
Deckers Brands
Deckers Brands is a global leader in designing, marketing and distributing innovative footwear, apparel and accessories developed for both everyday casual lifestyle use and high performance activities.
October 2020
Introduction
Maintaining Their Role & Resilience
CISOs from the world’s leading global organizations met virtually over the past six months to discuss security needs and business continuity amidst the evolving challenges of 2020. Security leaders and their teams have responded to increased threats and have faced steep challenges, including an unprecedented level of remote workers, evolving security needs, and an expanded attack surface.
Security leaders have also had enormous opportunities to demonstrate their value as risk management thinkers and strategic business leaders. The demands of protecting the enterprise and the added complexity of a fluid workforce is now paving the way for a discussion about resiliency.
Reenergizing the CISO: 3 Themes
Security leaders and their teams have risen to the challenges of this year. Their diligence, hard work and resilience comes at a cost, though. In an August survey of CISOs across Evanta communities, 60% said they are most concerned about employee morale going into the second half of the year.
As long hours, the uncertainty of the pandemic, and security threats continue, four security leaders discuss how to stay energized and focused on their critical priorities. Three themes emerged from those discussions:
- Sustaining High Performance
Security leaders and their teams are trying to focus on quality over quantity when it comes to work and hours. Conversations about mental health and work-life balance have become top-of-mind.
- Enabling Business Outcomes
Information security leaders are also key business leaders and are being recognized as such. CISOs discuss how their role has evolved and how it might continue to grow in the future.
- Influencing the Organization
CISOs are overcoming their reputation as the “department of no” and transforming it into one that assesses risk and enables decision making.
1. Sustaining High Performance
As CISOs have risen to the challenges of this year, they reflect on how to maintain high performance in a sustainable way as a leader.
Community Voices
It’s important to practice self-care so that you can take care of your teams. I think it’s really good to understand where you are spending your time, where you are investing your thoughts. In these times, we struggle to turn off, whether it’s the phone, TV, our computers - I think it’s good to get out into nature and turn it off for a little while.
Sara Engstrom
Minneapolis CISO Community
Not all stress is a bad thing. Stress, the right balance of it, can be good. But it can be hard to maintain that balance. It’s important, again, to tap into your resilience, not only for you but for your team – you are a role model. People are looking at you for how to react. By helping yourself, you are helping your organization, and also your family.
Beth Singer
Minneapolis CISO Community
As the ‘new normal’ changes daily, I learned two lessons: I have to center myself to operate at peak performance, which is accomplished through exercising and intentionally scheduling time to relax.
David Lipscomb
Philadelphia CISO Community
It is more important than ever to listen. We must listen to our customers to ensure we are responsive to their needs and the shift in their lifestyles and priorities. We must listen to our business partners, vendors, and third parties to ensure we are aligned with each other. Finally, we have to listen to our team members to ensure their personal needs are being met. The microcosm of each employee’s life has changed, so we, as leaders, must ensure that the challenges of our new reality do not have a multiplier effect on the stresses that naturally accompany our cyber security roles.
Michael Mongold
Southern California CISO Community
In addition to maintaining high performance as leaders, CISOs are also motivating and fostering high performance for their teams.
Community Voices
I work with a small team with multiple responsibilities, so I try to be mindful of preventing work overload by extending deadlines, creating a more collegial atmosphere, and asking if I could be of assistance by performing certain tasks.
David Lipscomb
Philadelphia CISO Community
We have focused on flexibility and ensuring that when it comes to the time spent working, it is quality not quantity, that counts. It is important that we allow our team members the ability to take care of themselves and their families, and that can require changes in when they work or even where they work from. The mental and physical well-being of our teams is more important than ever, and we must do what we can to provide them what is needed to navigate these uncertain times in a way that allows them to be successful.
Michael Mongold
Southern California CISO Community
2. Enabling Business Outcomes
CISOs explore how their role continues to evolve with one CISO describing it this way: “The security role went from simply observing the business strategy to being a participant in its creation.”
Community Voices
I had all these big goals for 2020, and obviously, those went out the window, so how can I direct my thoughts, my attention, my focus, in new ways?
Sara Engstrom
Minneapolis CISO Community
Information security leaders are key players in business outcomes. They provide risk analysis, due diligence on mergers and acquisitions, and have policies in place that reduce the risks of data breaches. As the roles evolve, business leaders will increasingly look to Information Security leaders to maximize the information ingested into their systems and use it to fuel business ideas and projects.
David Lipscomb
Philadelphia CISO Community
For a number of years, security leaders have counseled their peers and the leadership within their organization about the dangers of attacks from bad actors and from an ever-evolving compliance landscape. Unfortunately, businesses do not address un-realized risk at the same rate as something they have seen before. Now, more organizations have leadership, both at the C-level and Board level, that have had a firsthand exposure to a cyber incident and the inclusion of information security is becoming more expected. Agreements with third parties and cyber liability policies are also forcing businesses to ensure their security programs are built to a higher standard. These multiple factors are resulting in an evolution of the security role from simply observing the business strategy to being a participant in its creation.
Michael Mongold
Southern California CISO Community
3. Influencing the Organization
CISOs are thinking about how best to support their teams through more change, as well as how they can continue to provide the risk analysis that enables strong C-level decision making.
A lot of our teams are asking questions like – ‘When are we going back to the office? I need to figure out child care.’ I think that this enables us to have different conversations with individuals. I don’t have all the answers, but we are working through ambiguity together.
Sara Engstrom
Minneapolis CISO Community
I first allay their initial opinion of security leaders by explaining that I am an ‘enabler,’ so the business can move forward. I also explain that I will assist in removing obstacles that may impede a project and look at ways to reduce business risks associated with a project. Additionally, during a merger or acquisition, my team will perform due diligence to reduce the business risk of merging or acquiring a business. It is truly a new day in how security leaders and the businesses interact.
David Lipscomb
Philadelphia CISO Community
While I do not support the building of a Death Star for the empire, I do believe that, had there been better security participation, failures in the design phase of the project would have been identified. Additionally, with proper DRM tools, the intellectual property could have been prevented from being accessed by unauthorized users. While this is slightly tongue-cheek, giving examples that directly relate to the business you are involved in, speaking in terms that the business can understand is critical for success in a security leadership role. If you want to be a business leader, you have to speak the language of the business.
Michael Mongold
Southern California CISO Community
Conclusion
CISOs believe that despite the challenges of this year, they have increasingly positioned themselves and their teams as business enablers. To support smart business outcomes, CISOs say communication and collaboration with their C-suite peers are key. Their responsibility is to clearly present the security risks and advise on the best way to manage them.
To avoid burnout, they are focusing on self care and creating a better balance between work and their personal lives. They are staying flexible and adaptable as leaders to best support their teams.
In our August survey, 44% of CISOs said they have grown as a leader as a result of this challenging year. Heading into late 2020, CISOs are trying to capitalize on the growth, keep the momentum going, and reenergize themselves for a new year.
Special thanks to all participating companies.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.