Category: Apex 1 on 1

Insights from a Transformational Leader with Susan Marricone

Apex sat down with Susan Marricone, a Technology and Transformational Leader to discuss the role of an IT Leader and the importance of innovation, being customer centric and IT as a business enabler in the enterprise. 

Q: What is IT doing to support innovation in the enterprise?

A: The current technological environment is so fertile and the need to innovate so urgent, that we shouldn’t even have to be asking this question. Innovation has to be a given for IT in the current environment; yet, in ­­many companies, IT isn’t doing enough to support innovation in the enterprise. 

It is today’s innovation that becomes the viable revenue stream of the future and much of that innovation has deep technological foundations in IT. IT is always at risk of becoming one of the “business as usual departments” instead of focusing a meaningful proportion of its activities on innovation. Close alignment with the business strategy as well as with industry trends can help IT focus its innovation activities in meaningful ways, but IT should also have its own innovation zone. It’s impossible to predict where the next innovation will come from.

Q: What is the single most important thing CIOs should be focusing on today?

A: Like every other part of the enterprise, the most important thing for CIOs to focus on is the customer. The real customers of the company, not the fallacy of the “internal customer.” The “internal customer” fallacy has caused a lot of damage to many IT departments by enabling a lot of gold-plating, a lot of unnecessary internal processes and the reinforcing silos or introducing new ones. CIOs have to lead the way by aligning closely enough with the business to make it clear how IT’s activities are ultimately serving the customer, even when it is not readily apparent.

Q: Should IT be a business enabler?

A: Unless it’s been strictly relegated to “keeping the lights on” – which is net loss for everyone involved – then IT should not only be a business enabler, they should be business partner and a business leader. IT should be at the forefront of ideas, technologies, services and platforms that can not only enable the business but inspire it as well. IT cannot settle for being merely reactive but needs to be firmly entrenched in business strategy and growth and viewed as an internal think tank for ideas.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Talking, reading, travelling to conferences where the people I respect as innovators and thought leaders have a presence. Mostly it’s a mindset of keeping one’s eyes and ears open to what’s happening all around – and making sure you keep it as a priority.

Q: What is the biggest challenge for a CIO today?

A: Finding and keeping the right people is one of the biggest challenges for any leader, including CIOs, particularly in the current competitive environment. For CIOs, it’s extra hard, given the pace at which the landscape changes.

Q: How has the role of the CIO changed over your career?

A: There was a day when a CIO could succeed merely by effectively implementing three- or five-year old technology strategies cost-effectively and with stability. Those days are gone, and the role of today’s successful CIO is a multi-faceted mosaic: part leader, part visionary, part technologist, part transformational guru. Much more challenging – and much more interesting too!

 

Susan Marricone, Director – Agility / DevOps Transformation Leader

Susan Marricone is a dynamic executive and transformation leader making an impact on the Future of Work and Ways of Working to deliver strategic business initiatives. As companies undergo digital transformation and recognize the need for continued innovation, transformation touches many different parts of the enterprise – from organizational structure and business processes to more agile strategy, finance, HR, procurement and supply chain.

A Certified Agile Leader (CAL), Susan Marricone is also certified in business agility, Agile HR, Lean, Change Management and Leading Disruptive Innovation. She holds most major industry leading Agile credentials and has deep experience in Agility.

Susan Marricone has been a speaker for the national Agile Alliance | Women in Agile workshop, leading into the Agile2017 Conference and Agile NJ among other venues, speaking on topics including Empowering Women through Agile Outside IT, Agile HR, and the evolving role of the Agile Business Analyst. She is currently on the Advisory Board for the Rutgers University Leading Disruption Innovation Certificate Program.

The role and the focus of a CISO with Tim Swope

Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.

Q: What is IT security doing to support innovation in the enterprise?

A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.

Q: What is the single most important thing CISOs should be focusing on today?

A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs.  We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: The CIO and I work very closely together on the overall information strategy for the organizations.  That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology.  In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!

Q: How have you searched for and found the best vendors for your organization?

A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.

Q: What is the biggest challenge for a CISO today?

A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.

Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?

A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations.  As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.

The “Framework” that encompasses their Risk Management Program has the primary functions to:

  • Determine categorization of IT risks
  • Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
  • Define accountability for IT risk management
  • Determine the governance and oversight of IT  risk management activities

Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.

Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.

Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.

If we can take a way one lesson from the need for a risk management program it is the following:

Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!

We don’t accept Risk, we continually Manage it!

 

Tim Swope

CISO

Catholic Health Services of LI

Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.

He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.

He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.

The role, the challenges and the responsibilities of a CIO with Milos Topic.

Apex sat down with Vice President & Chief Information Officer of Saint Peter’s University. With 20 years of experience in leadership, innovation strategies, technology implementation and business development, Milos shares his views on the role of a CIO and  what it means to be an IT leader today.

 

Q: What is IT doing to support innovation?

A: IT is meant to drive innovation and enable others to do the same and take part. IT is a critical partner and a “golden thread” if you will across everything modern businesses and organizations do. As such, it is uniquely positioned to provide value to all.  Furthermore, innovation comes in many forms, but it always requires action. Thinking, planning, strategizing is all wonderful and valuable, but without action, not much will get accomplished.

Q: What is the single most important thing CIOs should be focusing on today?

A: CIOs as well as all executives should be focused on people and business growth. Modern CIOs are more customer facing and are spending time on strategy, vision and innovations across and beyond the enterprise.

Q: Should IT be a business enabler?

A: IT is business in a sense, or it is at the very least an essential part of every modern and competitive organization. As such, it should provide options to challenge old (and at times outdated) business models before others (from the outside) do it for them.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have invested years (and continue to do so) in building and nurturing relationships across various industries, sectors and markets. These relationships paired with various events (such as those hosted by Apex) are of critical significance in staying current and learning from those who may be further along.

Q: What is the biggest challenge for a CIO today?

A: It varies across industries and different maturity models of organizations, but I do believe that attracting and retaining top talent is one of the largest priorities, it certainly is for me. In today’s world and in major markets such as greater New York City area people have options which is great for them, yet challenging to many organizations.

Q: What is the difference between a CIO and a CTO?

A: Titles vary, but in general, a CIO should be focused on customers, innovation, strategy, growth and providing value to other major areas (Finance, Marketing, Operations, Security, Legal…) while a CTO is leading the existing services and ensures smooth operations of teams.

Q: How has the role of the CIO changed over your career?

A: Visibility has increased, and so have the responsibilities. CIOs have now earned seats on top management teams among their executive leadership peers. They are also more involved in the overall business vision, strategy and direction than ever before. All of these changes have taken place across organizations that are current and future proofed, while others are still behind and are struggling across some of these areas.

Q: What advice would you give an early stage CIO joining an organization?

A: Get as close to the business as you possibly can and learn everything about it. Build relationships, provide value to others and always give more than you take, in every exchange. Spend time and resources on developing leadership, strategy and negotiation skills as they matter in all that we do, professionally and personally.

Q: How important is the relationship between a CIO and a CISO?

A: While the reporting structure is debated by some, the relationship is very important. CIO relationships with everyone they work with are of importance, from CISO, to CFO, CMO, COO…all the way to the CEO. The entire C-suite needs to be unified and transparent with each other in order for all of them to move forward and make progress.

Q: What is the largest obstacle a CIO faces when it comes to security?

A: People. Training and organizational requirements to how data is stored, used and shared. Furthermore, many organizations are not funding information security adequately and proactively.

Q: What falls under the CIO’s responsibilities when it comes to security?

A: I’m of the belief that there should be one top technology leader and that is a CIO. Everyone else should report to them with varying degrees of authority. When it comes to finance, marketing, legal…they are all ultimately under one leader while IT seems to be fragmented in some organizations. The only potential exception is an area responsible for the overall risk, liability and governance for the entire business…they could be outside IT with strong collaborative partnership with the CIO and their leadership team.

Q: How do you see the security landscape changing over the next 12 – 18 months and how are you preparing?  

A: Robots are taking over. From machine learning to artificial intelligence, people can’t keep up with the volume and complexity of threats so continuous investments in tools and technologies is expected. We are experimenting with robotic process automation (RPA), machine learning and will continue to stay current with what is available.  

Q: How worried are you about the “human element” when it comes to security?

A: It is the weakest link in this chain. People make mistakes in opening emails, sharing data, configuring technology (both software and hardware)…the list goes on. Cyber security awareness training should be mandatory across all organizations and should be part of one’s employment record at some point in time.

 

Milos Topic

Vice President & Chief Information Officer

SAINT PETER’S UNIVERSITY

I believe that everything begins and ends with leadership. Leaders have the greatest responsibility for the impact and influence over the people they lead and the outcomes of their organizations as a whole. Furthermore, I am passionate about IT being a trusted strategic partner and an advisor (a service broker) to the entire organization as technology must drive innovation across organizations and provide both strategic and operational business solutions.

I have 20 years of experience in leadership, innovation strategies, technology implementation & business development while my formal education is a blend of science, technology and business. My journey in the Information Technology (IT) profession started in 1997 and over the past 20+ years I have worked on nearly all aspects of IT. I got underway with networking/cabling installs; tech support to programming in C++, C#, Java; web development; system/network security/administration to my most recent positions of leading teams of amazing people providing technology solutions and services while supporting a multitude of organizational needs. Finally, it is essential to always focus on people first, as they matter the most in everything we do.

Sara Nunez: Being a Woman In Technology

Apex sat down with Sara Nunez, award-winning global Program Management executive. With her experience transforming organizations by applying a broad range of integrated strategic execution best practices and business development initiatives, she shares her thoughts on being a Woman in Technology. 

Q: Is the lack of women in tech really a pipeline problem or is that companies are not providing the culture to cultivate and promote their women talent?

A: We need to do research on this topic. There are many factors to this challenge. 1. We were created with special attributes, just as men were created.  2. Society and Cultures have a lot to do with this issue as well. 3. We need women to unleash their potential without looking at this as competition with men. Companies are us people, therefore, it is our duty to transform and enable success with the right mix of people required regardless of them being women or men.

Q: Does the current conversation about women in tech single women out and leave men out of the solution in your organization?

A: The current conversation is needed and I do believe it is a concern for both sides.

Q: What can organizations do to get more women into senior level and executive positions? Where do you see gaps?

A: Companies are looking for talent and new skills.  We need more qualified women with thick skin to be leaders and apply for senior level positions.

Q: What can companies can do to address unconscious bias at all levels of the organization?

HR and hiring programs should measure the desired outcome and strategize to make it happen.  A balance and diversity is critical for organizations around the world.

What advice would you give to a woman considering a career in the tech industry? What do you wish you had known?

A: My mentor once told me, if you love what you do, you will be amazing at it.  If you are considering a career in the tech industry you have to love it, be an expert at it.  Spend extra time to go beyond.  You are not competing with men, you are complimenting them and together as a team you will succeed.  Be you, be a woman.

Q: What do you think is the biggest challenge for the next generation of women and how can we be stronger role models for them?

A: I think the biggest challenge is to keep up with rapid technology changes and the ability to create knowledge rather than looking for it.  Writing articles and visiting universities to share your knowledge with a new generation could give us the platform to prepare them to succeed.  We need to pay forward and push them hard.

Q: How is your organization creating programs and training for men to be better advocates for women specifically around support and sponsorship?

A: Multiple programs are in place, from Leadership Dev Programs and global assignments to mentoring and sponsorships.

Q: How can women better support other women in technology?

A: We need to excel and inspire women to follow the steps and make giant moves to be recognized and valued for who we are.

Q: It is no secret that many women in the tech industry have felt their gender has affected the way that they are perceived or treated in their role. Have you come across a situation that made you feel that way?

A: Do not allow that to happen.  We are in a company to drive results and motivate each other to succeed.  We are ONE.

 

Sara Nunez, IT Enterprise PMO Director

Dynamic, award-winning global Program Management executive and advisor to the C-suite who ensures strategic PMO is embedded throughout the enterprise’s DNA. Transforms organizations by applying a broad range of integrated strategic execution best practices and business development initiatives. Drives organizational goals, improves performance and efficiencies, and capitalizes on revenue-generating opportunities. Generously shares expertise to inspire a passion for learning, creating high-performance teams with intellectual and emotional connection to their work. Agile and multicultural, with expertise across a broad range of industries including telecommunications, technology, wealth management, and education.

Insights from Founder and President of StarCIO with Isaac Sacolick

Apex sat down with Isaac Sacolick, Founder and President of StarCIO. As a successful CIO who has led digital transformation, product development, innovation, agile management, and data science programs in multiple organizations, he sheds some light on challenges and focus areas for today’s CIO.

Q: What is the biggest challenge for a CIO today?

A: CIOs have the challenge of evolving IT from back office support functions to ones that can deliver applications and analytics while investing in agile, cloud, devops, and security. Many of the CIO I talk to are still adjusting to the speed, innovation, and organizational intelligence required to remain competitive and to avoid disruption.

That’s all table stakes today.

CIOs have to see what’s coming next for their businesses and drive discussions on where they can lead their industries. They have to identify partnerships, experiment with new technologies, and accelerate the development of their leadership teams so that they can deliver and iterate on differentiating capabilities. That’s a lot to do, when many organizations have cultures resistant to change, legacy technology footprints, increasing security threats, and greater operational impacts when technologies underperform.   

Q: What is the single most important thing CIOs should be focusing on today?

A: I think that CIO can’t just have a single most important thing as it can lead to saying ‘no’ to business opportunities, underserving parts of the business, or overinvesting in a strategic driver whether it be innovation, operational excellence, compliance, etc.

Some time ago, I wrote how digital CIOs manage their time and it resonated with many CIO that struggle with their shifting roles and juggling many priorities. The biggest thing the CIO should focus on today is how to manage their time, find partnerships, and grow bench strength to meet these challenges.

Q: What is IT doing to support innovation in the enterprise?

A: IT should start by defining an ideation process and pipeline that captures new ideas from across the organization and puts them through rapid discovery processes. I describe these pipelines and planning processes in my book, Driving Digital: The Leader’s Guide to Business Transformation Through Technology along with agile transformation, product management, and becoming data driven – all practices that drive innovation.

Second, I recommend to CIO and their leadership teams to spend significant time out of their IT offices and seek to develop business relationships, visit customers, and attend various industry events. IT can’t drive innovation without having an outside-in perspective on what customers need, how business leaders are managing competitive threats, and how other industries are solutioning comparable challenges.

Lastly, IT should be doing a lot of experimenting, executing proof of concepts, and investing in learning activities. To be innovative, IT needs to know how to integrate different technologies into nimble, supportable solutions. There’s no silver bullet to innovation, and IT has to invest in learning the building blocks.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have a voracious appetite for reading, writing, speaking, meeting people, attending events, and participating in social media. I’m a bit of an outlier as a big part of what I do now at StarCIO is advise leaders on transformation, collaborative practices, platforms, and emerging technologies.

I also get hands on with new technologies from time to time.

IT leaders should try to do the same. Read two or more articles a day, a book a month, and attend at least three conferences yearly. Find a comfort zone participating in social media such as commenting on selective posts, participating in a Twitter chat, or writing a guest blog post. Most SaaS solutions offer trials and demo accounts, so invest some time to roll up the sleeves and see what works.   

Q: What advice would you give an early stage CIO joining an enterprise organization?

A: CIOs have to run in several parallel directions when joining an enterprise. First, significant time should be spent with business leaders to start developing relationships and ideally with customers to better understand how the organization’s products or services impact them. Second, they should conduct an end to end assessment of their department’s capabilities, strengths, and weaknesses along with a review of underlying practices and technologies. Finally, they should select a handful of departments that have strategic priorities and may be underserved technically.

CIOs in their first hundred days should be looking to answer several questions. Where are the strategic priorities where technology can make an impact? What are some quick wins and other initiatives that need to be on the roadmap? What major risks have not been communicated or don’t have mitigation plans? What are the gaps in IT that the CIO needs to address and may need financial help, collaboration, or forgiveness in their early goings? What areas of the organization are early adopters to new practices and technologies versus others that are slower to change or others that may be detractors?

CIO roles have to pull this information together quickly to formulate and communicate a go-forward strategy and plan.

 

Isaac Sacolick (@NYIke) is the Founder and President of StarCIO, a services company that helps clients succeed with data and technology while executing “smarter, faster, and more innovative” transformation programs. Isaac is a successful CIO who has led digital transformation, product development, innovation, agile management, and data science programs in multiple organizations. He is the author of the Amazon bestseller, Driving Digital: The Leader’s Guide to Business Transformation Through Technology, and has written over four hundred articles as a contributing editor at InfoWorld,  CIO.com and Social, Agile and Transformation. He is an industry speaker on digital transformation, becoming a data driven organization, artificial intelligence, agile management, and other leadership topics. Isaac has  been recognized as a top digital influence by IDG, Enterprise Management 360, and Thinkers360, a top 100 CIO in STEM, a top social CIO by HuffPost, Forbes, and HP Enterprise.

From a birds eye view of a CSO with Ian Amit

Apex sat down with Ian Amit, Chief Security Officer of Cimpress to discuss his views on what it means to be an innovative CSO today while remaining a business enabler. With over a decade of experience in diverse security fields he shares his experience and advice.

Q: What is IT security doing to support innovation in the enterprise?

A: First and foremost, ensuring that security understands the business needs as far as direction (technologically) and strategy. Then security complements said strategy and not only ensures it is taken through secure means, but also further enables it to take additional risks.

Q: What is the single most important thing CISOs should be focusing on today?

A: Understanding and prioritizing the risks for the business. It’s not a question of a technological vulnerability “du jour” to be addressed (especially if it does not affect the organization’s threat model) and more about being able to correctly utilize the resources at hand to most effectively address the actual relevant risks.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: Independent. The CIO and CISO have potential conflicting views when it comes to technology, and hence should be independent of each other.

Q: Should IT security be a business enabler?

A: Absolutely. IT Security should never come from a “NO” approach, and by definition should enable the business to pursue whatever course of action it deems the most beneficial.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Beyond the continued technological education, working and engaging with peer CSOs and CISOs has been the most beneficial for me as far as keeping up with the news, and mostly around how other executives are meeting their challenges. Forums where there are curated discussions where the members drive the conversations have been the most effective in doing that.

Q: How have you searched for and found the best vendors for your organization?

A: It is a constant cycle of looking for the right vendors for the organization, and in my view the value of VARs have diminished significantly over the years and are only used to secure the best price point for a product. For me the focus on products is shifting, and I’m spending more on training my internal resources, while augmenting them with the right products. That means continuously challenging our operating model, and also the products we use.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: There is definitely a lot of overlap from my perspective, and I feel like a CRO is only applicable in organizations where the majority of the risk contains not only non-information elements, but is highly biased to financial or legal elements. In more “traditional” organizations, I believe that a CSO (who has all security in scope, not just information security) is the executive role responsible for risk overall, and can be coupled with a strong internal audit function to provide full risk management coverage for the organization.

Q: How has the role of the CISO changed over your career?

A: At the beginning of my career, CISOs were mostly IT-Security managers. The scope and focus of those roles has been mostly limited to technology risk and managing the security of the infrastructure and the technology stack. Modern CISOs, and especially CSOs are tasked with a broader scope which includes the social as well as physical elements of security of the organization.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Communication is key. Being able to have discussions with your peers in the executive management is critical, and this includes learning to formulate risk in business terms. Only then the application of “our” domain knowledge becomes applicable. One of the most common mistakes I’m seeing with CISOs in general is gravitating back to the engineering-heavy comfort zone where a lot of them came from, while losing focus over the actual missions which is to secure the organization and enable it to advance.

 

Discussions with Malik Bernard on the pathway to cyber success

 

Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.

Q: What is IT security doing to support innovation in the enterprise?

A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and  how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards

  • Hardware Authentication
  • Machine Learning coupled with Behavior Analytics
  • Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.

Q: Should IT security be a business enabler?

A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.

Q: How have you searched for and found the best vendors for your organization?

A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.

Q: What is the biggest challenge for a CISO today?

A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.

Q: How has the role of the CISO changed over your career?

A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.

 

Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.

Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)