How did you end up in your current role, and what attracted you to the industry?
A combination of education, determination and luck over many years led me to my current role as CISO at Datto. I have always aspired to run information security programs and was able to demonstrate success and competency in this area early in my career. I accepted the position at Datto for many reasons, but mainly because I want to keep driving the message of the devastating impact that data corruption and disaster can have on an organisation. I believe strongly in the importance of business continuity and wanted to put my skills and experience to use by delivering enterprise grade security to businesses, in a way that ultimately benefits society as a whole.
What makes a CISO most effective, and what typically prevents them from achieving that?
An effective CISO is agile, knows their organisation’s security posture well, understands their adversaries and maintains a bird’s-eye view of the constantly evolving threat landscape. Just as a robust business continuity and recovery solution is imperative for a business, so too is a CISO who is resilient to multiple types of common failures. An effective CISO can respond to changes in their business’s ecosystem quickly. They understand the what, when and how of continuously improving their security posture – but also recognise the importance of communicating the why. There are finite resources and time to accomplish these improvements in an environment that is non-static.
How has the increasing climate of governance and compliance changed your approach to security, and changed your engagement with board members and executives?
It hasn’t changed my approach all that much. There is nuance to new compliance regulation that needs to be understood, but at the end of the day it still calls for an understanding of what data you have, where it is, how you use it, who has access to it and providing transparency into that. These are all things that an effective security program that will protect data from varied threats. Changes in governance and compliance just creates more rigour around these practices and raises the stakes.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat?
Yes! I am personally working with my peers to establish an information-sharing community for more collaboration within the IT channel. Everyone understands that working together to foster intelligence sharing will help our customers – and ultimately society as a whole – combat common threats and become more resilient.
What do you see as the biggest gaps in the functionality of current cybersecurity technologies?
Disparate security technologies rarely work well together, so they become point solutions or discrete layers of control. This is why Security Orchestration, Automation and Response (SOAR) is becoming a huge trend and hot topic. There needs to be a middleware that ties all these controls together to orchestrate a more effective self-healing defence system. Right now, it’s up to each security program to do this effectively for itself – and for information security teams to manage and secure each of these individual programs. Reducing this complexity will reduce pressure on infosec leaders and ultimately help organisations build more cyber resilient ecosystems.
How has the nature of your engagement with customers changed in the last few years?
I spend more time talking to customers than I ever have before, and carve out time to embed myself in their organisations to understand their challenges at a deeper level. We conduct threat modelling exercises, benchmark the state of their programs and look for ‘quick win’ improvements together. This makes me more effective in my role as I know the root causes of their challenges and what we can do to help them succeed.
What changes have you seen in your engagement with senior executives and board members?
In the past five years I have experienced an increased appetite among executives and board members to understand and have in-depth conversations about the security posture of their organisations. There is a noticeable movement away from the naïve position that “I have never had a disaster before so I don’t need a backup solution”, towards a strong desire and willingness to support reasonable efforts that address security risks. There’s a positive trend towards grasping the importance of being prepared to handle a disaster, that I think will continue due to the regularity of data security incidents and events.
What security threats do you see as most problematic over the next year?
The trend of large-scale ransomware attacks and data breaches through vulnerable supply chains or technologies is a threat that I see only getting worse over the coming years. Modern, well-functioning, efficient supply chains are dependent on a range of software and hardware that opens up countless entry points for disruption. Every business must therefore be accountable for the security of its supply chain, by thoroughly investigating its vendors and their information security programs. If you’re not thinking about this seriously, now is the time to start.