Erik Hart spent half of his career in financial institutions and the rest in organizations where clients played a larger role in driving security parameters.

One takeaway from his diverse experience is that cyber professionals have to learn they cannot be the “Department of No,” said Hart, today the chief information security officer at global real estate services firm Cushman & Wakefield.

“If you go in all the time, saying ‘No,” or taking the black and white security mentality, unless you’re in an organization like a financial institution where you can take a much harder line, you’re going to fail,” he said.

“We’re trying to find a solution or path for our teams. I told my people, ‘All of you are supposed to be architects and solution engineers. How do we find a way to say ‘Yes,” or say, ‘If we do this, here’s the risk and are we willing to accept that?’ and make the business think about those risks.”

Delegating responsibility

A good CISO will know how to communicate, and how to build relationships across different business unit lines, he said. A good CISO will also know how to delegate responsibility.

“How do you empower your team to make more decisions?” he said. “That’s something that’s been very hard for me. I’m an only child, so I’ve grown up with a lot of times, everything is mine. So I’m working on breaking away.”

Hart has been in the information security space for over 20 years, first in financial institutions, and then in trading and advertising technology before joining Cushman & Wakefield.

“The first half of my career was spent in the highly regulated financial institution space, where regulators and SOCs were major drivers for security operations. You did it because they asked for it,” Hart recalled.

As he moved on to other fields, “the focus shifted to finding the right solutions for clients. And since you can’t do one-offs for each and every client, it became about finding commonalities but also the various add-ons that you need to service clients or the business you’re working for,” he said.

Client demands

In his current role, responsibilities entail all of global security, including risk management, information technology controls, governance, client and data security, technical security and some interim CTO responsibilities while his expanding company undergoes some reorganization.

The company has grown from 40,000 people when he came on four years ago to more than 51,000 today. And more security demands are coming from the client side. So the No. 1 challenge has become, “How are we building out security into the sales cycle, especially with people in the commercial real estate services space who are not technology-driven, but whose services are driven by technology?” he said.

Another challenge is the numerous third parties the company uses, both in terms of SaaS systems and contractors, consultants and other suppliers. Cushman & Wakefield is addressing this risk in part by putting more and more things attached to a single sign-on “so we can drive and own the identities,” he said.

“Third-party vendor-risk management is something we all deal with and everybody does it in a different way,” he said. “It’s one of those areas that’s ripe for disruption, but I don’t know if we’ll ever get enough organizations coming together on a common way, setting an ISO-type standard to assess and deliver that,” he said, citing cost as one obstacle.

Uniqueness and diversity

The last big challenge is bound up with the technical uniqueness and diversity that comes with a global organization, where different countries have differing and sometimes conflicting rules and regulations, he said.

“That’s been a challenge,” he said. “How do you have a unified security approach when you have various country or regional rules and regulations?”

Hart sees the industry heading in a direction where identity becomes the centerpiece.

“Security and computing in general is moving past that hardware stage where you’re buying pieces of equipment that have blinky lights that you put in a rack somewhere, and we’re really moving to services,” he said. “So for us, it’s not about firewalls anymore. It’s about identity, because many employees can technically pivot to various devices to do their jobs. How do you deal with identity rights? How do you build a lot of the security controls into identities and not necessarily care about the devices people are using to do their jobs?

“I’ve also pushed over time to get out of assets management, i.e., issuing laptops, in favor of putting the security around the identity and what people access,” he added. “I don’t care what computer they use. If you want to send them a computer, fine, but if we want to get out of the supply chain nightmare, can we have them use what they already have? That’s where I would love to see things go.”

Vendor consolidation

He also sees more of a push toward automation and outsourcing, and consolidation in the security vendor space.

“I want to consolidate and have things be good enough but operationalize them well, versus buy a bunch of best-in-breed products that my people can’t operationalize because there are 10 or 12 things going on at once,” he said. “I think you’re going to continue to see a little bit of that consolidation around certain bigger vendors who are making the investments in the industry.”

When he’s not shielding Cushman & Wakefield from bad guys, Hart is likely to be found toiling in his yard.

“I bought a house almost two years ago, and it has two acres of property. I refuse to pay somebody to mow the lawns, so I spend anywhere from four to six hours on a summer weekend doing various yard work,” he said.

He’s also an avid Peloton rider.

“I’m on the bike almost every morning. So those are the ways I try to do it, to get away from the technology and not look at a computer,” he said.