With a wide and diverse variety of positions during his 23-year tenure with the Ricoh, Vice President Corporate and Information Security and CSO David Levine shares his perspective on the role of the CISO, how he stays abreast of industry trends and in the current COVID-19 era, what it means to have a remote team.
Q: How has the role of the CISO changed over your career?
A: The CISO role has continued to grow in organizational and strategic importance within many businesses, including Ricoh. What was once a blended function in IT is now its own critical function with its leader (CISO/CSO) having a seat at the table and reporting, if applicable, to the board on a regular basis. That’s a significant transformation!
Q: What is the biggest challenge for a CISO today?
A: This ties into my answer above, the security budget and staffing has not necessarily kept pace with increasing demands and importance. As more and more of the organization as well as customers and partners realize they need to engage and include security the team gets spread thinner. This can put a real strain on the organization and its effectiveness. Prioritization and risk assessment become critical to help determine what needs to be focused on. You also cannot ignore the fundamental challenge of just keeping pace with operational fundamentals like vulnerability remediation, patching, alert response and trying to stay ahead of highly skilled adversaries.
Q: How do you stay abreast of the trends and what your peers are doing?
A: I use a variety of approaches to track what’s going on relative to trends and my peers. Daily security email feeds are a great source to get a quick recap on the last 24 hours, leveraging one or more of the big research firms and being active in their councils is a great mix of access to analysts and peers. I am also active in the CISO community and participate in events run by great organizations like Apex.
Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?
A: Although I have been with Ricoh for many years, if I was moving to a new organization, I would take the time to ensure I understand:
- the company’s objectives and priorities;
- what’s in place today and why;
- what security’s role in the organization has been;
- what’s working and what isn’t.
I’d also commit to completing initial benchmarking and make sure I spent time, upfront, to start to build solid relationships with key stakeholders.
Q: Have you been putting cloud migration first in your organization’s transformation strategies?
A: We adopted a cloud first mentality a few years ago. The cloud isn’t perfect for everything but in many cases it’s a great solution with a lot of tangible advantages.
Q: What are your Cloud Security Challenges?
A: For us, one of the biggest challenges is keeping pace with the business from a security and governance standpoint. We are currently working on putting in comprehensive policies and requirements, along with tools like a checklist, which will make it clear what’s needed and also enable the various teams to do some of the upfront work without needing to engage my team. That’s a win-win for everyone and reduces the likelihood of a bottleneck.
Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction?
A: YES! In all seriousness, those are all relevant priorities my team and I need to focus on. This further adds to the prior points around more work than hours and resources.
Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?
A: Like most of my peers that I have talked to, we have put on hold most “net new” spending for now. The expectation is we will get back to those efforts a bit down the road. We are also taking a look to see what opportunities we have to streamline expenses.
Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure?
A: I am proud of my teams and the ecosystem we put in place. All in all, it’s been a pretty smooth transition. My team is geographically dispersed and a few key resources were already remote. However, that is not to say there aren’t any challenges – not being able to put hands on devices has made some investigations and project work more difficult but we’ve found safe ways to complete the tasks. Ensuring the teams stay connected and communicate is also important.
Q: What were/are the most significant areas of change due to COVID-19?
A: We certainly had to make some exceptions to allow access and connectivity that we would not have done under normal circumstances, but it was the right thing to do for our business and our customers. We also had to shift some users to work from home who typically would not and as such, didn’t have the right resources. Both of these highlighted areas to focus on in the next revisions of our Business Continuity Plans which contemplated the need to shift work and locations but not necessarily everyone working from home. There is also a need to reemphasize security, policies, training when working from home.