Kevin Morrison has worked in a variety of industries, each with its own unique opportunities and challenges, but all converging in one overarching principle: the need to build relationships.

“My career path has influenced my CISO role by really understanding the criticality of the partnerships that need to exist, regardless of the industry,” said Morrison, who recently joined Driven Brands, an automotive services company, as its first cybersecurity chief.

“It’s driven home the need to proactively reach out to folks across the business to really build those relationships, to understand how the security team and function can really support what needs to get done, and to make sure we’re in alignment with the roadmaps that are being developed.”

Business MBA

Morrison did his bachelor’s degree in information technology, and started his career there before gravitating toward cybersecurity around two decades ago at a time when there were a lot of disruptive viruses.

Building on his rich technical background, he did an MBA in technology and innovation management to better understand the business side of things. “Each station has been a great stepping stone and opportunity to take on broader leadership roles and eventually becoming a CISO at a couple of different Fortune 500 companies,” he said.

Morrison’s work history spans industries including defense-related engineering, law, homebuilding, aviation and most recently, after-market auto services. He joined Alaska Airlines at the start of the pandemic, just as carriers were being clobbered by a sudden near-halt in travel. But because he was confident in their fiscally conservative stance, he joined the team.

“Had it been any other airline to come on to that role in the midst of a pandemic, I would have turned it down,” he said.

Increased scrutiny

Driven Brands brought on Morrison in June, roughly a year after it went public — a development that created increased scrutiny of its business processes and the need to put in place the right controls to manage risk. Part of his challenge is to change the business culture so everybody within the organization understands that security is everyone’s job and is an opportunity to help protect the brand and revenue by minimizing incident-related costs.

Engagement across the organization is critical, he said.

“Any time you’re coming into a new role, especially where you’re the first one in that position, right out of the gate you have to ensure that people within the business understand what you’re there to do,” Morrison said. “You also have to make sure that others know how and when to reach out for guidance on risk management, and that it’s not just me or my team in a bubble making decisions.”

Alignment is key

In an early CISO posting, Morrison had the good fortune of receiving management’s support for most of the investments he sought. What he didn’t consider then was that his program didn’t exist in some kind of splendid isolation.

He didn’t engage with peers over their respective areas, and when it came time to execute on solutions his team was moving forward with, they weren’t aligned on resourcing and prioritization with other teams they relied on for implementation.

“That definitely helped me better understand right out of the gate that I have to go in and engage my

peers as early as possible, and as often as possible, to make sure that we’re aligned on where I see the gaps, and that we have the appropriate resources to go in and do the implementation and ongoing maintenance,” he said.

“I can’t overemphasize enough how critical those relationships are for peers and for business stakeholders, to understand that you are there to provide a service and to partner with them in securing the organization.”

Ditch geekspeak

The CISO’s role has evolved from very technically focused to a greater focus on the business, and communication has been key to those who have been successful in this transition, he said.

“It’s so important for them to be seeing you as somebody who they know they can proactively reach out to and have a normal conversation with instead of geekspeak that’s going to make them roll their eyes and look like a deer in headlights,” he said.

Morrison’s overriding philosophy is to try to minimize friction. Most of the controls that he’s deploying aren’t creating a lot of visible change that will require employees to redo workflows. As a result, he’s a big fan of continuous attack path analysis platforms.

These highly technical tools run in the background, so aren’t disruptive for colleagues. But they provide CISOs the opportunity to have a more business-driven discussion with executive stakeholders and the board about how security-related investments are working or aren’t living up to their marketing hype, he said.

Quantitative evidence 

“CISOs have been challenged over the years to really provide quantitative evidence showing the value of the investments we make and the efficacy of the controls that have been deployed,” he said. “With this particular platform, we can 24/7/365 run simulated attacks based on hundreds of pre-canned attack vectors, which allows us to determine the exploit potential for an attacker to gain access to the environment, and then pivot from there.

“Having the ability to say with confidence that we have the appropriate controls in place, or know we’ve got a glaring hole and need to deploy a new configuration or new change or new technology – that continuous visibility is critical.”

Another key thing Morrison is doing to minimize friction is revisiting the authentication space. Instead of requiring everyone to change their 12-character passwords every 90 days, he’s now a fan of less frequent password changes, following NIST guidance for a higher number of characters, but less complexity.

“Removing complexity means fewer employees who forget their passwords because they don’t remember if it was an exclamation point or a pound sign or whatever,” he said. “It’s a win-win. You’re improving the risk posture of the organization while minimizing the friction. Looking for opportunities around those types of areas definitely can be a win.”

Tee up

Golfing and music are Morrison’s chief outlets for unwinding.

He and his family live on a golf course and he plays at least a couple of times a week. He grew up in a musical household, and to the dismay of his family, he quips, he started first on drums.

“I now have a nice electric kit, and can plug my headphones in and not bug anybody,” Morrison said. “I play guitar and a little bit of piano as well, so I really enjoy it in my own time, just to unwind and have that outlet. I have such an eclectic taste in music, it’s all over the map. You name it, and I’ll most likely be into it.”

Read the CISOs Connect™ Magazine CISO Spotlight Edition here: