We continue to recap sessions from this year’s SecTalks virtual conference by sharing insights from two current chief information security officers: Chris Gervais, who has 20+ years of experience in technology and product development and is currently the Chief Technology Officer and Chief Security Officer at Kyruus, and Vanessa Pegueros, who has 15+ years of experience in the security industry and is currently the Chief Trust & Security Officer at OneLogin.
Like many industry leaders, these CISOs have faced increasing demands and challenges in their roles since the onset of the pandemic.
What are the biggest changes COVID caused in your industry?
Both Chris and Vanessa said they have experienced rapid and vast changes over the past year, with Vanessa remarking that the pace of change has really made the biggest impact. For Chris, who works in the healthcare industry, it’s remembering how customers are going through their own rapid adoption of digital tools and figuring out how to connect patients to care in new ways.
Being able to pivot to fully distributed and fully remote work brought several new pressures and considerations to the forefront. Both now have to think about what it means to have all your employees distributed 24/7 as well as understand the different informational and operational security aspects in this new environment.
Chris, however, hopes there is no discussion about going back to “normal.” Although painful at times, he feels this is an opportunity to modernize the industry and have it become more accessible to patients online.
How do you build trust in a remote world?
The fact that all employees now work remotely has created an even greater need for trust. As Chief Trust & Security Officer, Vanessa sees her role as a security leader as someone who is responsible for helping to instill this trust. What can sometimes block it, she says, is blame and anxiety. She highlighted the importance of not blaming others when things go wrong and look instead to break down silos between the engineering and security teams.
The panelists also noted the significance of being able to demonstrate a commitment to trust—both externally and internally. Prioritizing compliance, framework and reporting certifications as well as customer trust is something every security team should do.
How have you evolved as a leader?
Vanessa explained that while both are key to a successful organization, there’s a distinct difference between a manager and a leader. A manager, she said, ensures that the day-to-day operational tasks are done, whereas a leader’s job is to inspire and motivate people to get to a particular place—to accomplish a goal.
At some point, leaders will have to face the reality that some employees will want to continue working from home, while others will want to go back to the office. Vanessa feels it’s important to be comfortable managing people remotely, otherwise you may limit the talent you attract.
In terms of career development, how security is organized in a particular company varies. Sometimes the function is buried down so low that security leaders don’t have a chance of surfacing challenges to top management. Vanessa said that for her own career goals, it was important to be at a company where the security leader reports directly to the CEO. At OneLogin, she’s now able to present options, thoughts and direction at the top level—giving her a true “seat at the table.”
“This is a choice every security leader can make. What kind of organization do I want to work for, and where is my reporting structure?” – Vanessa Pegueros
For Chris, his goal as a leader is to find ways to expose his team to the different tasks of a CISO. By getting his team members involved in discussions around budget, product features and customer feedback, he hopes they can gain better insight into the bigger picture and the business as a whole.
What are some setbacks to look out for as a CISO?
As a CISO, don’t just be a technical expert—aspire to a higher emotional intelligence and a stronger understanding of the business. While technical leaders are good at their craft, they don’t always prioritize empathy and emotional conversations. Vanessa highlights the increased importance of being emotionally present during the pandemic. She does periodic check-ins with her team and looks for opportunities to connect with them to see how they’re doing.
Both Chris and Vanessa also agree that another challenge CISOs face is not having enough business acumen to lead security within a wider context. For example, Vanessa says that when presenting to board members, CISOs sometimes dive too far into the technical details and lose sight of the bigger picture strategy. As Chris puts it: “you’re a business executive who happens to focus on security.”
How do you convey the importance of security to an organization?
Security affects the whole company, so getting employee buy-in is crucial. But one of the biggest challenges is getting teams to be security-minded, especially at organizations where engineers and developers prioritize speed of development.
To avoid the “this is not my problem” mentality, Chris suggests getting the whole company involved in the security process, including the executive team. For example, during their annual SOC 2 Type 2 audit, it was the CEO who communicated its importance and the role each person played.
Watch the live recording of this discussion and learn more about the event host, Cobalt's Pentest as a Service (PtaaS) Platform.