There’s much talk these days about the need for CISOs to develop business acumen and position themselves as business leaders, and not just security leaders.
Mandy Andress, Chief Information Security Officer at Elastic, came into the industry two decades ago with those chops, putting her way ahead of that curve.
“Because my background is in business and I have a strong understanding of business and financial aspects, I was able to really focus on what’s a realistic and pragmatic security program, and to align with the goals and objectives of the company I was with,” said Andress, who has a bachelor’s degree in accounting.
That’s been useful when competing with other units in a company for scarce resources.
“There’s always a resource crunch – money, people – and that’s not just security. So it’s a question of how to make the case for why this investment in security is the best investment compared to all of the other areas across the business that are asking for investment as well,” she said.
“It’s understanding and tying it to business goals and business objectives, to help senior leadership and executives make an informed decision on where to allocate that capital and those resources.”
The CISO job is certainly getting less and less technical, Andress said.
“Pretty much all of my focus now is just understanding the strategic picture, both of where the company wants to go, and what that means for adjustments or new things we need to focus on as part of the security program,” she said. “It’s tying it to customer impact, revenue impact, those things that are aligned with the terminology and focus areas of other executives across the organization.
“It’s also helping folks – certainly within the security team – find the comfort of what’s good enough for the organization, and what priorities need to be worked on. “
A lot of people get into security because they love continuous learning, and Andress puts learning front and center for her team, including time to try new things and shadowing projects with other groups, in addition to conferences and other standard forms of training.
That ties in to a major trait Andress thinks a successful CISO should possess: curiosity.
“First for me is always curiosity, and seeking to understand what do we need to focus on, or human behavior, and asking questions and understanding why this isn’t the best approach for you and your team,” she said.
Calmness is another desirable trait. “When something happens, people do get afraid and nervous, and as a security leader, folks are looking to you to lead them through events. If you’re nervous and scared, that just makes everyone around you feel that way, and sometimes makes situations worse.”
She also values the ability to question or challenge oneself, because security is moving so quickly.
“What we’re doing today isn’t necessarily the best way or the most effective,” she said. “We have to be OK with spending six months working on a project and deploying it, only to have it be almost irrelevant because something changed in the world that we couldn’t necessarily anticipate or control.
“At the same time, we want to be proactive and try to anticipate. That’s where the challenge comes from. You don’t always want to be reactive.”
Andress has a rolling, 18-month strategy that is reviewed quarterly, to see what’s changed in the threat landscape, the business roadmap and the business objectives, and adjust as needed.
“For me, it’s focusing on a risk-based, risk-driven program to drive those priorities, and always questioning and trying to ensure that we’re spending our time on the most important areas and topics that will have the most impact from a risk mitigation perspective,” she said.
Andress got into technology at the recommendation of a professor.
“I’ve always enjoyed tech, but didn’t quite understand at the time what kind of a career path there would be. And I was really focused on business,” she recalled. “So I was in an accounting information systems class and this professor pulled me aside after class one day and said, ‘Hey, you’ve got a knack for this.’ Have you ever looked at this systems auditing focus? I think you’d be good at it.’ So I got an internship in that area and moved on from there.”
That pivot included obtaining a master’s degree in management information systems. Andress set out on her professional road as a systems auditor, then moved into design, architecture and solution generation for security.
“I found that I loved the combination of understanding an industry, a business, a culture, a tech stack, and putting all of that together to craft a security program for a company,” she said. “And that’s what I’ve been focused on the last 20 years.”
Another inflection point was California’s passage in 2002 of the first Data Breach Notification Act, which “put me down the rabbit hole of really looking at and understanding how to apply old laws to new technology, and the challenges that created.”
That piece ultimately set her on a path to law school, studies that helped her interpret and apply regulations and language into a security program.
The bulk of her career before she joined Elastic was spent at MassMutual. She’s also served as an adjunct faculty member at the University of Massachusetts Amherst, and advises several venture capital firms.
At Elastic, she is responsible for all things related to cybersecurity and data security. Innovations she has initiated include an emphasis on transparency.
“Coming in, I was really focused on maintaining a high level of transparency, because the more folks understand, the more it’s real to them and they can see their role in it. Past organizations I’ve worked in security was super secret, and that created a whole other path of people not necessarily understanding what was happening,” she said.
“There are a few things you can’t be fully transparent on, but there’s a lot more we can share than I think we often think we can,” she said. “And the more you do that, the more you help the rest of the company understand what’s happening. Folks want to do the right thing, but they often don’t know what that is for them. So just helping build that awareness and that education, tied to something that is tangible to them and their day-to-day life, something critical to their livelihood, breaks down some of those barriers and silos.”
Andress’ strategy for managing the high-level stress that comes with the job entails compartmentalization, and disconnecting with her three teenagers, two dogs and two cats.
“As a CISO, you’re on 24/7, but I’ve been able to compartmentalize better over the years, whether that’s out with the kids or playing with the animals, finding those things to help create that disconnect,” she said. “That’s something that was really helpful for me to learn and do over the years.”