Earlier this year we launched the mini series “Confessions of a CISO” as part of the Humans of InfoSec podcast.
Caroline Wong spoke with three security leaders — Andrew Obadiaru at Cobalt, Jerich Beason at Epiq, and Meg Anderson at Principal Financial Group — to learn about their path to the CISO role, the challenges they faced along the way, and how they overcame them.
Andrew Obadiaru - Chief Information Security Officer at Cobalt
Andrew’s professional path didn’t start in technology. In fact, his first degree was in political science, followed by a degree in public administration. But when Andrew moved to the US about 20 years ago, he decided to get into tech. Since then he has built security and compliance programs across many different industries: professional services, pharmaceuticals, education, financial institutions, and now pentesting.
His career has lent him a unique perspective on how security has not only changed over the years, but also how it shifts based on a company’s business model and growth stage.
“It’s a question of how you evolve with the situation.”
In his experience, it’s no longer feasible to prevent everything. While it’s important, strengthening endpoint security shouldn’t be the single line of defense. It's critical to thoroughly understand an environment and the typical patterns of behavior on a device and network level. Monitoring for shifts in those patterns — data being transferred at odd hours of the day, or unusual access requests and password changes — can help teams focus their time and resources more strategically.
Listen to Andrew’s episode to learn more about:
- Why not all attackers are the same, and how you can adapt
- How security programs shift across different industries and business models
- How these differences should guide your strategy and resource requests
Jerich Beason - Chief Information Security Officer at Epiq
Jerich has spent his career building industry-leading cybersecurity programs to protect some of the nation’s most sensitive assets. How did it all start? With the Duke Nukem video game. It wasn’t exactly kid-appropriate, so Jerich’s dad didn’t let him play alone. Jerich set out to connect to the computer remotely and discovered networking. The rest is history.
Among other questions, Caroline wanted to know his thoughts on how cybersecurity has (and hasn’t) changed over time. For Jerich, while the threat landscape has expanded, attack vectors have mostly stayed the same: email is still the most common way attackers try to get in.
That being said, the industry is always evolving because businesses are evolving.
“As the business changes how it operates, the technology follows and cybersecurity comes along for the ride.”
Another driver for change is what attackers leverage. There was a time when people thought they couldn’t get hacked on a MacBook, but the reality was they weren’t a target because the majority used Windows. Now there are all types of Mac protections.
Listen to Jerich’s episode to learn more about:
- The best and worst parts about being a CISO
- Is automation really the solution it promises to be
- Things teams don’t think about when defending against ransomware
- How to stay ahead of incoming technologies
Meg Anderson - VP-CISO at Principal Financial Group
Responsible for the InfoSec program at a global Fortune 500 company, Meg finds novel ways to enable and accelerate business strategy while keeping assets safe. Shifting to the CISO role after 20 years of directing technology projects at Principal Financial Group, she earned her stripes handling information security in the 2000s when everything was in flux: mobile phones were becoming mainstream, new regulations kept coming, and more breaches and incidents were getting attention.
Meg’s approach is to prioritize understanding the business, so she developed the Business Information Security Officer (BISO) role. She describes it as a mini CISO integrated into a specific business area. They understand the business strategy and focus on the following:
- How security can help and how it might be getting in the way
- What compliance requirements and laws to consider
- How customers think about security
- Are policies and standards rigorous enough to protect the business
This approach gives great perspective on how security impacts day-to-day business decisions, whether that’s keeping operations running or demonstrating to a customer how the company protects their data.
“It really helped my team members understand the “why” of what they do.”
Listen to Meg’s episode to learn more about:
- The logistics behind integrating security more closely with business teams
- How to align security with the enterprise strategy more effectively
- How to articulate what you need to evolve your security program
To get notified of new episodes, make sure to follow Humans of InfoSec on SoundCloud.