“You have to listen to your business partners. We’re here doing cybersecurity and risk management because of the business. Hear them, listen to them and find a collaborative path forward.”
Learning the business.
That’s the direction in which a CISO’s role is evolving, says David Ortiz, the cybersecurity chief at Church & Dwight, the maker of Arm & Hammer products and other household goods.
“You’ve got to know all facets of the business, understand the risk of them, and put together the right roadmap to reduce risk,” Ortiz said.
Today, resilience and identity and access management are top priorities, he said. At Church & Dwight, he’s focusing on an ironclad cybersecurity incident response plan that works in harmony with business continuity plans, disaster recovery plans and crisis communication plans.
As for access control, “We’re making sure that our people only have access to what they need.”
Collaborative path
At the same time, cybersecurity chiefs have to understand that they can’t be deploying security for security’s sake. That’s where learning the business comes in.
“If you’re in the private sector, you can’t be an impediment to driving revenue by putting too much protection in place that the company can’t do its job,” he said.
“You have to listen to your business partners. We’re here doing cybersecurity and risk management because of the business. Hear them, listen to them and find a collaborative path forward.”
Ortiz’s career history began with a degree in computer science that took him to consulting assignments on application development at New York City brokerage houses. From there he moved on to retail and publishing companies, spending 20 years at Bed Bath & Beyond before arriving at Church & Dwight two years ago.
Always security
“Security was always part of what I did and what everybody did, but we didn’t really call it security. It was part of the build and development process,” he said.
“When I really raised my hand and got involved was when payment card compliance became mainstream and companies needed to start adopting stricter compliance on the IT and the IT security side.”
Initially, as he formalized Bed Bath & Beyond’s cybersecurity department, things were still very technically focused. Several years later, he started breaking off from information technology, and set out to transform things again.
“I wanted to make the Information Security department more of a business-facing department to interface with our business leaders, and really develop the information security department more as a business function than an IT function,” he said.
Ortiz connected with Church & Dwight at the early stage in its security program, and over the past few years, has significantly increased its cybersecurity maturity, he said.
Persistence and time
“There is a lot of persistence that’s needed for the role,” he said. “I’ve been fortunate to have great teams at both organizations,” he said. “Self-education and persistence have helped to foster a good team environment, and foster the right next step forward for the company so cybersecurity is really embedded in the culture.”
One of Ortiz’s biggest challenges is time.
“We run out of time every day,” he said. “Everybody is working really hard, and we need time to get our roadmap accomplished. But we also need that right work-life balance, and let people take a break and get back to their personal lives and decompress.
“Be prepared to be a constant student. And be prepared to collaborate,” he said. “It’s a wonderful industry and everybody’s willing to help one another. Be prepared to get involved. It’s a profession. It’s a career. It’s a lifestyle.”
“Bad actors only have to be right once,” he said. “We have to be right every single time. It’s a hard balance to strike, and sometimes people take that personally. Teams need to know they have our support, and that we’re going to help each other to move the ball forward.”
Because time is such a major constraint, Ortiz looks to find time-saving technology. But at the end of the day, “I don’t really want to start with a technical solution,” he said.
“I want to start with the process, and an understanding of the risk, goals and the outcome. I always find myself going back to the same thing: Let’s have a strong foundation and make sure everyone understands how to keep that foundation strong by doing what seem like basic things but do them really well.”
With budgets limited, Ortiz takes a risk-based approach that assesses what presents the organization and its people with the most risk and how his team can reduce it. But flexibility is also key.
“We can’t say on January 1st that we’re going to do something for the next 12 months,” he said. “It’s a constant re-evaluation of the external threat landscape and risk, and adjusting the roadmap for that.”
For those entering the profession, it’s important to understand that this is not a 9 to 5 job, Ortiz said.
“Be prepared to be a constant student. And be prepared to collaborate,” he said. “It’s a wonderful industry and everybody’s willing to help one another. Be prepared to get involved. It’s a profession. It’s a career. It’s a lifestyle.”
When Ortiz does turn his attention elsewhere, he’s got two kids in college and a third right behind them. “I spend time with my family, that’s how I unwind, as much time as I can with my family and friends.”