CISO, Delta Dental Plans Association

Cybersecurity is so much about users and the vigilance of people in the organization. Understanding the underlying psychology of the organization, its culture and mindset, gives me an amazing insight that is priceless in developing cybersecurity strategies.

The most useful concepts that help me at my job as CISO of Delta Dental Plans Association are those of organizational development – my area of concentration for my PhD.

Specifically, there are three aspects of organizational development which I think could be useful to CISOs. I myself use them almost on a daily basis.

First is group dynamics.

People have to know their place in the organization. They have to be conscious of what it takes to perform their role, what it is in relation to the role of others, and in relation to the overall goals of the organization. Each role is a part that must function well in itself, function well alongside others, and function toward a common objective.

I am the company’s first CISO and as such I enjoy a free hand at building a security program.

I do not work on my own, though. Many things need alignment and you can’t do your job in silos. While I have a team of three and we run our own Security Operations Center, I report to the VP of Information Technology, who reports to the CEO. I work with the General Counsel and Chief Privacy Officer, because we always have to include security in our contracts. I work with the chief privacy officer as well.

We look at risk holistically. Cyber risk is just one form of risk; there are many others. The question is how we keep the business going while managing or containing this risk. As CISO, I know where my responsibilities lie – my focus is on cyber risk. But I also work closely with the director of HR, because it is directly involved in the training of employees and influencing the company culture. I work with the leadership team to ensure that my objectives are aligned to – most certainly not in conflict with – their own objectives concerning the business.

Second, occasioning change means modifying the behavior not just of individuals, but groups.

The truth is, the tech part is easier. Shifting culture to one of security is just about the most difficult task there is. It is difficult because while some people embrace change, many are resistant, especially if they feel that the change can affect them in an adverse way or cause some inconvenience in doing their jobs. Forcing security on people is a guarantee that your efforts will not work. They have to understand and embrace it.

If your organization is a big one, chances are that you will have a difficult time reaching out to everybody. You have to have champions – these are folks who accept security concepts easily. For example, HR is a good champion. It understands the culture of keeping safe. Another champion could be the general counsel, because he or she inherently understands risk and is also engaged in keeping the company safe through contracts. You can also turn to your CFO – another person who would understand risk, this time from a financial perspective. He or she can apply those same concepts to security as well.

How do you measure success? You will be successful when your employees imbibe the security mindset, take it home to their families, and let it become part of their everyday life.

Finally, understanding leadership styles. Different people respond to different styles in different ways.

I am fortunate that my executive leadership understands cyber risk and supports me as I build our security program. The security champions in my organization all help me spread the word to the other employees.
Not all CISOs have it as easy as I do. Some do not enjoy executive support and they have to put security on the table all the time, demonstrating its importance at every single instance. Some may feel like a lone crusader, getting people to understand how important security is.

And yet, despite the fact that my C-suite appreciates and understands security, I recognize that they are also thinking of many different things at the same time. We do not necessarily interpret events on the same priority level. They think about increasing revenue or consumer base. So how do I make security meaningful to them in these contexts? I always always have to think about where my leaders are coming from.

In a career in this field, you have to have tech acumen so you can know what is going on. CISOs always have to be on top of the game. But these skills that I learned in OD, I can take and apply to any field I choose to work in.

At the end of the day, it’s all about people.