Holding the dual position of CTO/CISO needs to come with a lot of experience and drive. Being able to build the security organization around the needs of the company led to being both the Chief Technology Officer as well as Chief Information Security Officer. Noticing what was interfering with the safety of the company through passive observation has directly played into both roles. Doing research, having conversations, and interacting with other people are all examples of seemingly passive observations.
Advice To A Younger Self
A great piece of advice is to not limit your thinking to what technology can be and how it can evolve. Also not limiting how these technological advances can be applied to benefit you and your company. An example such as the invention of virtual doctor appointments is a use of technology many never even considered an option not too long ago. This did pose some security concerns, but the program was able to built around the technology, and the team was prepared for these changes.
Remotely Working Advice In Uncertain Times
Some positions such as doctors and nurses do not really have the option to work completely remotely patients need to be seen. But more administrative positions, also support positions absolutely can safely work from home. There are going to be concerns anytime a huge shift in the workday changes. Inside threats can be large or small, something as simple as the employees not getting the work done from home to something larger like medical information being released to the wrong people which is a direct HIPAA violation. Pushing it even further, what if that information was sold for profit by an employee. Identify the threats before they become a major crisis.
When working from home to want to essentially replicate the way work was done on premises. If most meetings were conference calls that can easily be done at home. If meetings were typically done in person around a conference table, use group video chat for these meetings at home. From a leadership standpoint working remotely can bring up unique challenges. Not everyone is as familiar with technology or the software needed to make these connections, so giving the education on the tools used could be a great first step when moving to a remote workforce. Getting everyone on the same technology, making sure teams have the access they need, and making sure that the security isn’t abandoned because of an emergency are all great points to cover upfront. In some cases purchases and upgrades may need to happen before the shift to remote work. Making sure the right purchases are being made for the unique situation the company is in can make or break your budget. Another great piece of advice is to spend the company money as if it were your own. When clients come to you with an example of breach and are worried that it could happen to them, do the research and explain to them the truth. Explain how that breach happened, and stress to them that human error causes more issues than technology failure, and a combination of the two is what leads to the most unfortunate events.
What Being A New CISO Means
Mentorship plays a big role, grooming a member or members of your team so that can confidently replace yourself when the time comes. Security is everywhere in all aspects of our lives, the new CISO needs to be think big picture.