Thank you for taking the time to share your experience. We will send you a copy of the report, which is scheduled for publication this quarter and features insights from more than 20 of your peers.

Working with a mentor who understood that security must be viewed within a broader lens was formational for Brett Conlon, CISO at American Century Investments.

After doing web development and data development during the dot.com era, Conlon moved to the U.S. Missile Defense Agency, where he was responsible for security servers and worked on program management. That led him to the FBI, where he spent 10 years working on national security and cyber defenses. In the private sector, he created the security program at Edelman Financial Services before moving several months ago to American Century.

“When I started in my career, I had the ability to work for some great leaders, and at the FBI had the good fortune to work with someone I consider to be one of the greatest mentors to work with,” Conlon recalled.

“He was very good at letting us fail, providing us top cover when we did. And he always told us to understand the business and not just develop or try to look at things from our lens, but the business lens and what we are trying to achieve.”

Understanding the business

In that case, the business was the FBI, but Conlon’s experience there provided a nice segue into private industry.

“Understanding the business so we can provide the right type of security strategy is my business,” he said. “And so we develop the right risk tolerance and build innovation programs around that.”

The biggest innovation he’s leading is redefining how risk is regarded, including explaining to the business side the added value that cybersecurity brings to the company’s bottom line, brand and reputation, he said.

He defines his role as “chief educator around all things security and risk, and making sure everyone understands it’s a company-wide responsibility.”

Risk and threat lens

“Part of our innovative strategy is making sure that everything we bring out really has that risk and threat lens on it already, and creating a way for our users to engage with us and our employees so they feel like they are part of the solution.”

Conlon is looking at department scorecards and individual scorecards so the business can now see the risks it’s bringing to the company, and what it can do to resolve those risks.

“That’s our unique approach to it, and it seems to be producing the correct conversations, producing the corrective actions that we want to see.”

One of the biggest challenges CISOs face right now is the very rapid pace at which the risk and threat landscape is evolving. It’s a challenge to keep up with that and build programs that are scalable and can help the business grow, Conlon said.

Cyber warfare

Malicious nation-state activity is on the rise, with cyber warfare playing out between Ukraine and Russia, Iran and Israel, and in China, he said.

“The pace at which that is evolving, and the pace at which risk and how we manage it is evolving provide a big challenge for us,” he said.

Supply chain risk is another challenge because there’s not a lot of transparency in supply chain risk management today, he said.

American Century is evolving continuous monitoring programs for third parties. It’s also looking at how frequently third parties are being evaluated and how risk rankings are given to third parties so it can figure out how to represent the risk correctly to the business, he said.

Continuing education

With the security landscape changing so rapidly, Conlon puts a premium on making sure his employees are continually growing and learning.

“It’s my job to make sure our team is as marketable as possible by continuing to develop, nurture and foster them in their educational pursuit of the ever-changing cybersecurity landscape,” he said.

That professional development creates a culture where they want to stay, he said. And while Conlon isn’t experiencing talent shortage problems, he thinks they could be mitigated industry-wide by loosening the requirements for candidates.

“We don’t really prescribe ourselves to X number of years of experience, or this type of cyber degree or master’s in computer science,” he said. “We’re really focused on the ability to learn, and how quick they pick up on things. The rest of it can be taught.”

Internship pipeline

The company also has built a strong internship pipeline to bring in talent, he said.

“With labor shortages, a connected workplace, and a landscape that is evolving at a rapid pace, I think it’s the CISO’s job to build out a very innovative, welcome and welcoming program that attracts talent and keeps that talent,” he said.

Another piece American Century does well is making sure that security isn’t kept behind the scenes, Conlon said.

“We do a really good job of making sure our employees are aware of it, that we’ve created an active engagement, and that the security team itself is very engaged in the different areas of the business,” he said.

Active mentor

Conlon is an active mentor. He works with aspiring cyber practitioners at the Air Force Academy, and at his kids’ school, he educates pupils about cyber safety and gives guidance to youngsters interested in getting into the industry.

He’s also created partnerships with local colleges and the police in the past, and is looking to establish those partnerships again in his new home in Naples, Florida.

After hours, Conlon volunteers as a soccer and flag football coach for his children, and does paddleboarding in the ocean. He also takes early morning walks.

“That helps me sort of catch up on my day, get my time to take a break from work itself, and just focus on the simple things.”

Kevin Morrison has worked in a variety of industries, each with its own unique opportunities and challenges, but all converging in one overarching principle: the need to build relationships.

“My career path has influenced my CISO role by really understanding the criticality of the partnerships that need to exist, regardless of the industry,” said Morrison, who recently joined Driven Brands, an automotive services company, as its first cybersecurity chief.

“It’s driven home the need to proactively reach out to folks across the business to really build those relationships, to understand how the security team and function can really support what needs to get done, and to make sure we’re in alignment with the roadmaps that are being developed.”

Business MBA

Morrison did his bachelor’s degree in information technology, and started his career there before gravitating toward cybersecurity around two decades ago at a time when there were a lot of disruptive viruses.

Building on his rich technical background, he did an MBA in technology and innovation management to better understand the business side of things. “Each station has been a great stepping stone and opportunity to take on broader leadership roles and eventually becoming a CISO at a couple of different Fortune 500 companies,” he said.

Morrison’s work history spans industries including defense-related engineering, law, homebuilding, aviation and most recently, after-market auto services. He joined Alaska Airlines at the start of the pandemic, just as carriers were being clobbered by a sudden near-halt in travel. But because he was confident in their fiscally conservative stance, he joined the team.

“Had it been any other airline to come on to that role in the midst of a pandemic, I would have turned it down,” he said.

Increased scrutiny

Driven Brands brought on Morrison in June, roughly a year after it went public — a development that created increased scrutiny of its business processes and the need to put in place the right controls to manage risk. Part of his challenge is to change the business culture so everybody within the organization understands that security is everyone’s job and is an opportunity to help protect the brand and revenue by minimizing incident-related costs.

Engagement across the organization is critical, he said.

“Any time you’re coming into a new role, especially where you’re the first one in that position, right out of the gate you have to ensure that people within the business understand what you’re there to do,” Morrison said. “You also have to make sure that others know how and when to reach out for guidance on risk management, and that it’s not just me or my team in a bubble making decisions.”

Alignment is key

In an early CISO posting, Morrison had the good fortune of receiving management’s support for most of the investments he sought. What he didn’t consider then was that his program didn’t exist in some kind of splendid isolation.

He didn’t engage with peers over their respective areas, and when it came time to execute on solutions his team was moving forward with, they weren’t aligned on resourcing and prioritization with other teams they relied on for implementation.

“That definitely helped me better understand right out of the gate that I have to go in and engage my

peers as early as possible, and as often as possible, to make sure that we’re aligned on where I see the gaps, and that we have the appropriate resources to go in and do the implementation and ongoing maintenance,” he said.

“I can’t overemphasize enough how critical those relationships are for peers and for business stakeholders, to understand that you are there to provide a service and to partner with them in securing the organization.”

Ditch geekspeak

The CISO’s role has evolved from very technically focused to a greater focus on the business, and communication has been key to those who have been successful in this transition, he said.

“It’s so important for them to be seeing you as somebody who they know they can proactively reach out to and have a normal conversation with instead of geekspeak that’s going to make them roll their eyes and look like a deer in headlights,” he said.

Morrison’s overriding philosophy is to try to minimize friction. Most of the controls that he’s deploying aren’t creating a lot of visible change that will require employees to redo workflows. As a result, he’s a big fan of continuous attack path analysis platforms.

These highly technical tools run in the background, so aren’t disruptive for colleagues. But they provide CISOs the opportunity to have a more business-driven discussion with executive stakeholders and the board about how security-related investments are working or aren’t living up to their marketing hype, he said.

CISOs Select Winners Based on Real-world Experience; Vendor Submissions Now Open

NEW YORK, July 18, 2022 – CISOs Connect™ today announced the launch of its annual CISO-selected vendor recognition, the 2022 CISO Choice Awards, and named the Distinguished CISO Board of Judges selecting the winning solutions and providers.

Honoring security vendors of all types, sizes and maturity levels, the CISO Choice Awards program recognizes differentiated solutions valuable to the CISO and enterprise. Security solution providers are from across the world. Submit for consideration here: https://www.research.net/r/CISOChoiceAwardsApplication2022

The CISO Choice Awards are a differentiated program based on the real-world experiences and perspectives of end-user executives, with clear criteria and a known and transparent Board of CISO Judges.  Part of Security Current’s exclusive CISOs Connect membership knowledge-sharing community, the CISO Choice Awards recipients are selected by the board who have first-hand knowhow and insights from building and maintaining their own programs.

“As CISOs grappling with real-world challenges on a daily basis, we know what distinguishes a good security solution from a great one,” said Board member Matt Lemon, Huawei Mobile Services CISO. “As a member of the exclusive CISOs Connect community, we want to recognize the innovations that are keeping companies, agencies and institutions safe at a time when cyber onslaughts are dangerously mounting.”

The CISO Choice Awards 2022 Board of Judges spans several verticals. The Board is made up of the following CISOs:

CN CISO Vaughn Hazen
Covanta CISO Tammy Klotz
Customers Bank EVP & CISO Endré Jarraux Walls
DC Department of Human Services (DHS) CISO Montae Brockett
Huawei Mobile Services CISO Matt Lemon
Invitae CISO Dave Ruedger
ICF International VP & CISO Joseph Dyer
IFF VP & CISO Lauren Dana Rosenblatt
One Main Financial CISO Tunde Oni-Daniel
Premise Health CISO Joey Johnson
Prologis VP, IT Governance, Information Security Officer Sue Lapierre
Radian CISO Donna Ross
William Blair CISO Ralston Simmons

Also, on the Board is well-known author and analyst Richard Stiennon, who wrote the Security Yearbook 2022, which includes a directory of some 2800 companies.

“Knowledge sharing and education are top pillars of our CISOs Connect community, and these awards offer an unparalleled look into how top security professionals minimize existing and emerging risks,” said Endré Jarraux Walls, Customers Bank EVP & CISO. “By collecting examples of real-life experiences, the awards will promote discussion and cast a spotlight on the proven partners and cutting-edge solutions that help us safeguard our organizations.”

Tammy Klotz, Covanta CISO added: “With cybercrime costing the world trillions of dollars a year, thousands of security companies and startups have sprung up across the world to focus on these digital dangers, and singling out the best fit for an organization’s needs is a daunting task. The CISO Choice Awards will make it easier for our peers to see which companies have risen above the competition.”

“As CISOs, finding the right cybersecurity technologies and solutions that align with our organization’s security objectives is essential, however, finding the right vendor that understands the value of true partnership is equally important,” said Joseph Dyer, ICF VP & CISO. “The CISO Choice Awards provides an opportunity for knowledgeable CISOs to distinguish exceptional vendors that have developed trust, offer solid security solutions, maintain innovation, and deliver valuable partnerships.”

As a fundamental part of their mission to support the CISOs and the cybersecurity solution ecosystem in order to safeguard enterprises and organizations internationally, Mayfield, a global venture capital firm, has partnered with CISOs Connect.

About CISOs Connect

CISOs Connect is an exclusive membership-only interactive community of trusted cyber peers and subject matter experts. Connected by common interests, this community allows cyber experts to share knowledge and expertise through proprietary content, research, and analysis while exchanging information, ideas and collaborating with trusted colleagues to make informed business and technology decisions.

CISOs Connect™ is part of Security Current™, known for its Security Shark Tank® and is lauded for its CISO driven content, knowledge sharing, and community. It is purpose-built and led by the top CISOs in North America.