Lakshmi Hanspal, a seasoned security professional and presently the Global Chief Security Officer at Box, is willing to challenge herself which is why she is training to run a marathon this summer. The difficulty doesn’t just come from the physical requirement but also requires an adjustment to her mindset. “My coach was saying when going uphill, look no more than eight feet in front of you, and I was thinking I don’t do that at work. When I have an uphill, I’m looking all the way figuring how I’m going to reach the top of the hill.” Learning to restrict her field of vision is difficult for Lakshmi because her tendency as a CISO is to look across the landscape for complete risk management.
Single Pane of Glass
The position of the Chief Information Security Officer (CISO) is evolving, but when you look at the gamut of the CISO spectrum a wide range of roles remain. Some CISOs focus on just covering the corporate environment, whereas others focus on operational functions like managing the SOC (Security Operations Center) or handling product security, for example ensuring software security. Hanspal sees each of the components as just a single part of a whole. “For me when I operate as a CISO” — in addition to Box, she has held senior security positions at SAP Ariba, Pay Pal, and Bank of America – “I don’t delineate between corporate and production, our risks come from anywhere.”
Fragmentation of functions, such as security, privacy, compliance, and data protection, makes risk management difficult. The CISO needs to create a cohesive single pane of glass on how to deal with an organization’s risk management. To create this comprehensive situation requires collaboration with businesspeople. “CISOs need to strive to understand the business domain and speak with that acumen.”
In today’s environment, business leaders are the change agents that bring disruption into the environment, so it behooves security and risk officers to be part of the conversation so that they can give a proverbial thumbs up to future initiatives. With early engagement and a better understanding of the business, it is possible to create a relationship that makes it much easier to have a transparent discussion of risk. Hanspal explains that knowing the problem helps you to develop the appropriate solution. Additionally, this level of understanding can foster realistic discussions about risk and about what level of risk an organization can tolerate. Customers are hungry for these realistic discussions and are eager to understand what is truly possible. By looking at security and governance from a business standpoint, the CISO can improve enablement without being forced into a policing mode.
Having been involved in IT security for twenty years, Hanspal has seen a lot. While many people eventually move out of the industry, she remains committed to her “calling”. Recently she has been focusing on three areas that advance the cause.
The Basics: The concept of what is included in the basics changes from a technology level, but what is needed is to continue to “get brilliant at the basics”. Hanspal sees this as ensuring that we are prepared to handle the well-established threats and that through the use of run books and play books we know the processes and procedures when an issue arises. The basics also include figuring out how and when to use automation to improve sustainability.
Cybersecurity culture: At Box, security and privacy are principle tenets but it takes specific actions to build a culture of security. Hanspal is working on deliberate actions to expand the security mindset throughout the organization. As part of cybersecurity awareness month Box will conduct a Capture the Flag (CTF) event that will engage teams that normally are not involved in CTF events. By incorporating social engineering components, many teams such as user support services, deployment teams and sales will have a role. The activities will be relevant to every single Box employee.
Return of Investment: Given that security is generally considered a cost, it is important to demonstrate the business value behind the investment. Metrics that Hanspal looks at are the costs of incidents, the savings (in minutes) from automation, and service maturity.
A major improvement Hanspal would like to see within the CISO role is a change in attitude from one of strict policy enforcement to one that is more adaptable to an organization’s business needs. “I’m hyper-focused on moving my field of work into a more empathetic mindset”, said Lakshmi. CISOs need to create a level of trust within the organization, with partners, and with customers. By understanding the overall business needs of all the players, it is easier to develop a shared purpose and to begin a dialog that lets others share in the vision you have built. Learning about your customer and partner concerns by using the resources around you, such as sales, customer care, professional services, and marketing allows for an empathetic understanding on what is truly possible. By having a good grasp of the customer, you can have a transparent discussion on real risks relative to that party’s tolerance level. Such dialogs allow you to explore, in a fully transparent manner, all of the possible options and weight the risks against the benefits.
Honestly talking about why things are the way they are and what can happen if we fail is what the customer needs. They are open to reality-based discussions about risk. It is the CISOs job to ask “How Can I Help You” instead of focusing on checking something off the security to-do list.