Kevin Morrison has worked in a variety of industries, each with its own unique opportunities and challenges, but all converging in one overarching principle: the need to build relationships.

“My career path has influenced my CISO role by really understanding the criticality of the partnerships that need to exist, regardless of the industry,” said Morrison, who recently joined Driven Brands, an automotive services company, as its first cybersecurity chief.

“It’s driven home the need to proactively reach out to folks across the business to really build those relationships, to understand how the security team and function can really support what needs to get done, and to make sure we’re in alignment with the roadmaps that are being developed.”

Business MBA

Morrison did his bachelor’s degree in information technology, and started his career there before gravitating toward cybersecurity around two decades ago at a time when there were a lot of disruptive viruses.

Building on his rich technical background, he did an MBA in technology and innovation management to better understand the business side of things. “Each station has been a great stepping stone and opportunity to take on broader leadership roles and eventually becoming a CISO at a couple of different Fortune 500 companies,” he said.

Morrison’s work history spans industries including defense-related engineering, law, homebuilding, aviation and most recently, after-market auto services. He joined Alaska Airlines at the start of the pandemic, just as carriers were being clobbered by a sudden near-halt in travel. But because he was confident in their fiscally conservative stance, he joined the team.

“Had it been any other airline to come on to that role in the midst of a pandemic, I would have turned it down,” he said.

Increased scrutiny

Driven Brands brought on Morrison in June, roughly a year after it went public — a development that created increased scrutiny of its business processes and the need to put in place the right controls to manage risk. Part of his challenge is to change the business culture so everybody within the organization understands that security is everyone’s job and is an opportunity to help protect the brand and revenue by minimizing incident-related costs.

Engagement across the organization is critical, he said.

“Any time you’re coming into a new role, especially where you’re the first one in that position, right out of the gate you have to ensure that people within the business understand what you’re there to do,” Morrison said. “You also have to make sure that others know how and when to reach out for guidance on risk management, and that it’s not just me or my team in a bubble making decisions.”

Alignment is key

In an early CISO posting, Morrison had the good fortune of receiving management’s support for most of the investments he sought. What he didn’t consider then was that his program didn’t exist in some kind of splendid isolation.

He didn’t engage with peers over their respective areas, and when it came time to execute on solutions his team was moving forward with, they weren’t aligned on resourcing and prioritization with other teams they relied on for implementation.

“That definitely helped me better understand right out of the gate that I have to go in and engage my

peers as early as possible, and as often as possible, to make sure that we’re aligned on where I see the gaps, and that we have the appropriate resources to go in and do the implementation and ongoing maintenance,” he said.

“I can’t overemphasize enough how critical those relationships are for peers and for business stakeholders, to understand that you are there to provide a service and to partner with them in securing the organization.”

Ditch geekspeak

The CISO’s role has evolved from very technically focused to a greater focus on the business, and communication has been key to those who have been successful in this transition, he said.

“It’s so important for them to be seeing you as somebody who they know they can proactively reach out to and have a normal conversation with instead of geekspeak that’s going to make them roll their eyes and look like a deer in headlights,” he said.

Morrison’s overriding philosophy is to try to minimize friction. Most of the controls that he’s deploying aren’t creating a lot of visible change that will require employees to redo workflows. As a result, he’s a big fan of continuous attack path analysis platforms.

These highly technical tools run in the background, so aren’t disruptive for colleagues. But they provide CISOs the opportunity to have a more business-driven discussion with executive stakeholders and the board about how security-related investments are working or aren’t living up to their marketing hype, he said.