What CISOs are Sharing With Their Boards

Security teams need to stay focused and not be distracted by the high-profile breaches



Esther Shein
12/12/2018

Regardless of whether you’re in a regulated industry or a publicly-traded industry, you always have “crown jewels” that need to be protected and the same types of motivations to guard them, said Tomas Maldonado, chief information security officer at International Flavors & Fragrances. Maldonado was the guest on Episode 62 of Task Force 7 Radio on Monday night, with host, George Rettas, president and CEO of and Task Force 7 Technologies.

Those crown jewels include intellectual property and trade secrets, which he said are very similar to what is protected in the financial services sector, where he has also worked. The difference is, “In the industry that I'm in now … I have to do more really with less in terms of resources and I have to be creative as to how we make investments because you don't have that enormous amount of open pocketbook.”

Yet, regardless of the industry, you still have to have a focused approach to security, while enabling the business to continue to stay profitable, he said.

‘Humble Beginnings’

Rettas started the program by talking about how Maldonado reached the CISO role, noting that he came from “very humble beginnings, growing up with minimal resources in a very hard-nose area of the Bronx.” He asked Maldonado if he ever envisioned himself in this role.

“It's been a combination of luck, being prepared and having good mentorships along the way that had really helped me be where I am today,’’ he replied. “I didn't set out to be a CISO.”

Maldonado said he “stumbled into doing security” after taking job as a network security officer and “was afforded a lot of training” into early intrusion detection and prevention systems and he did a lot of hands-on penetration assessments.

“And that was essentially it for me; that sort of ‘wow factor’ of being able to get into a machine and almost have your way with that machine. That really set my trajectory of being a security professional.”

Today, he acknowledged, he’s not a technical C-level security person, but what has helped him has been being part of team of individuals who were excellent leaders.

“I've worked for some if the best CISOs in the world and I've had that privilege and almost luxury, if you will, to sit with those individuals and pick their brains and really learn from them.”

While he liked doing hands-on security, Maldonado said he discovered he really enjoyed helping to build and structure a security program.

“I wouldn't say I had a dream job in mind but, heck if I could've written this script many years ago, I would say this is probably one of the best things that I've done in my career, and it's very close to my dream job,’’ he noted.

His role as CISO

In response to a question by Rettas, Maldonado described himself as an enabler. “I'm that type of CISO that wants to enable the business to continue to take risks and manage those, but while understanding the risks that they're taking, and make sure they're calculated.”

The most important thing for a CISO to be is adaptable, Maldonado added. “At the heart and the crux of what I do is I'm the person that's presented to the board. I'm the person that's sitting in front of my executive and really trying to get them motivated around security, get them interesting in investing the program, have them see the value that we add as security professionals … but you have to be very agile and you have to adapt.”

At the same time, he said he also needs to be a coach and get his team motivated around security and be aspirational in their careers.

“I tell my team all the time, ‘I want one of you to take me out and take my job. I want to be able to move on and do something else, and if I've been able to be successful in teaching you and sharing everything that I've learned with you, then I've done a pretty good job from that respect."

Rettas said this highlights the fact that CISOs need more than just technical skills. “I hear a lot about the struggle about where the CISO role should fit in in an organization and I think it's organization specific.”

Maldonado said he reports to the general counsel at International Flavors and Fragrances, who reports to the CEO. He said the executive committee, board and CEO “know that they can trust that when I'm going in to tell them something, I don't have any hidden agenda or hidden motivations.”

All CISOs who sit under IT find there can be competing priorities among the CIO and CTO, he said. “They're both equally important, but which one is the one that wins at the end of the day? I think that raises very challenging and difficult questions that need to be answered by the organization, if the organization is not in a mature state.”

It’s important to have clear lines of communication, he said, where accountability and responsibility have been delineated and everyone understands their role.

He said he’s also tried to get closer to the business and help run security “like a regular business function. I think when you start to see CISO take that approach, you start to see a different level of reporting structure and that aligns with how the organizations are essentially maturing.”

What’s trending

In the show’s second segment, Rettas asked Maldonado to discuss some of the security trends he’s seeing.

Not surprisingly, Maldonado said ransomware continues to be a problem, as well as how companies are dealing with the recently-enacted GDPR in the EU and the number of high-profile data breaches; Marriott being the most recent.

He said phishing emails “are not going away” because they’re still profitable and very effective, and that while cryptocurrency mining has “kind of taking a different turn these past few months” it will also continue in some form.

Rettas asked if the public is becoming numb to all the high-profile breaches?

Maldonado said he believes the public is becoming numb “because no one is really, really freaking out anymore.” The security industry needs to figure out how to flip the script, he said. At the same time, security teams need to stay focused and not be distracted by the high-profile breaches.

Maldonado said he tries to express to his senior leaders that “we operate along the lines of that mindset that you're already compromised,” and if they accept that, then “what happens in the news shouldn't distract you from your overall objective … [of] implementing your security function.”

Security fundamentals like patch management, access management, onboarding/offboarding and training and educating employees on how to be more mindful of security is critical, he said.

“I say, ‘look, the breaches are going to continue and … what I try to do is bring it home to how we're managing the security program, why we're executing and driving toward the agenda that we are, and why we're making the investments that we are based on our overall risk profile.”

Choosing vendors

With so many new products being brought to market all the time, Rettas asked Maldonado how he distinguishes between these vendors?

Maldonado said he puts vendors into two categories: those that are only trying to sell their offering and those that are targeting the company they are approaching.

“Is my product really something that'll change or move the needle with that particular individual, whether it's in their security program or whether it's something else that they're focused on,’’ he said.  

Usually, Maldonado said, he tries to understand if the product is a need-to-have or if it’s something to augment what he needs to continue to grow the security program.

He said he prefers that they approach him with “me in mind; my company, what we're doing, what we're driving at, our level of maturity and where we are in this stage of our journey, from a security standpoint. And less of, ‘Hey, buy my product because it's the latest shiny object.’"

That will be more effective in helping them not only sell their product but in building a partnership, Maldonado said, “because I'm not looking for vendors that are just going to sell me a product and walk away. I'm looking for those long-term partners that are really in this with me for the long haul.”

In response to a question about where product advancements have been made, Maldonado cited products embedded with artificial intelligence and machine learning, as well as some advancements in detection and orchestration.

In terms of areas where more advancements need to be made, Maldonado said he’d like to see the vendor compliance space evolve “and maybe get into more continuous control monitoring and having that real transparency into the security posture of the vendors that I'm doing business with.”

“That's an area where we can spend a little bit more time and really, really solve some business problems,’’ he said. “And maybe, just maybe George, we might stop some of these breaches.”

In terms of dealing with the IT and security talent shortage, Maldonado said he is trying to leverage employees and train them as much as possible to solve so they can help identify internal security weaknesses. He said he’s also been mulling how to reward employees who detect anomalies, whether by making them “a local security champion or shouting them out on a web page.”

Career Advice For Would-Be CISOs

In the show’s third segment Rettas asked Maldonado what career advice he would offer to seasoned security professionals who want to take on the challenges of being a CISO one day.

Maldonado said one of the best pieces of advice he received from one of his mentors was to “always approach your audience, whether you're entering a meeting or you're working with an individual on a project … from the perspective of you are listening and learning what it is that is important to them.”

He added that they should figure out what is driving and motivating the stakeholders to achieve their goals. “And leave your security agenda -- not behind -- but off the table for those initial conversations, and really try to interweave your security agenda within the mix and flow of how they're trying to achieve their objectives.”

You will be a more successful security professional if you listen to your business counterparts rather than tell them “hey, you need to have these controls in place. You need to put in these technologies, you need to encrypt this data, you need to do X, Y, Z,” he said. It’s important to understand what's motivating them to help them achieve their particular objectives, Maldonado said.

So “try to listen more, talk less and then interweave your overall security agenda within the mix of what they're trying to do. And you'll be more successful.”

Looking ahead, Maldonado said he sees the CISO role becoming more of a risk manager, and that that is how he’s tried to frame his career.

And, he added, while businesses are looking for people who have risk management backgrounds, they also want people with talent, aptitude, skill sets and the resources to drive an initiative forward – and people they can trust.

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub. To listen to this and past episodes, click here.

RECOMMENDED