With 25 years of experience in the IT Industry, the insight, advice and perspective of Benjamin Corll, CISO, Coats is fascinating. His views on the relationship between the CIO and CISO, the importance of knowing the business and collaboration among teams are some of many areas that Corll shares through this Apex 1 on 1.
Q: What is IT security doing to support innovation in the enterprise?
InfoSec has been an underpin for enterprise innovation for decades. We have been a force for change, yet we have operated behind the scenes for many years. Yes, we have had a bad reputation as it has long been believed that the InfoSec team is the “office of no”. However, I do like to say that we’re the team of the “office of the know”. And by this I mean that we have monitoring of the organization. We have an obligation to use this data to feed the other teams and to help them make better data-driven decisions. By doing this, we are driving (or supporting) innovation in the organization.
Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?
As in most organizations, the CISO generally reports to the CIO. This means that the CISO has a tight relationship with the CIO. There should be mutual respect. I truly believe that the CIO and CISO are only successful when they are closely aligned. Security and IT should be aligned in objectives and strategy. The CIO is focused on availability and the integrity of the computing environment. The CIO is only going to be successful when the CISO is successful, as the CIO suffers when the network is breached, when applications are unavailable, and when desktops are compromised. The fate of the CIO and CISO are intertwined.
I have heard many times that it is said that it is a conflict of interest having the CISO report to the CIO. Can this be true? Yes, if the CIO is ignoring the risks that the CISO is reporting in order to prioritize uptime for the sake of availability. Yet, if the CIO understands that her success is tied to the CISO, then she should partner with and support the CISO. When that happens, there shouldn’t be a conflict of interest.
Q: What is the biggest challenge for a CISO today?
Prioritization is the biggest challenge for a CISO today. The threat landscape continues to evolve. Our budgets will never be large enough and our teams big enough to address every risk. We cannot do it all. There will always be more to do. And we cannot remove all risk as that would be too cumbersome to end users or it would remove the ability for users to do their jobs.
Security teams will have to stay nimble and pivot. This doesn’t mean that security has to be only reactive, yet it does mean that they need to be flexible. A roadmap can still be developed and delivered upon, yet it is not to be written in stone as new threats may be revealed and require a shift in focus, a reallocation of funds, and full support put into a new initiative.
This is why I believe prioritization is the key challenge for a CISO today.
Q: How do you stay abreast of the trends and what your peers are doing?
Collaboration & sharing is how I stay up to date on trends and with what my peers are doing. Joining organizations which enable sharing of ideas and experiences in a trusted and controlled environment is invaluable. Some of these are free, some of them actually have a subscription model. Both are good.
There are curated lists of news which do save time. This allows me to know what some of the top articles and happenings are from around the globe without having to spend a lot of time scouring websites. What this enables me to do is answer questions if my executive staff calls me and asks me about something they may have seen in the news. So long as I have read my lists, I am rarely uninformed of the topics they’ve inquired about.
Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?
Learn your business. Don’t focus on your silo’d role. Learn what the company does and the workflows required to produce the goods or service that drives revenue. This is going to help with two main things:
- You’ll discover what the true crown jewels and critical systems are
- You’ll learn how to align your organization with the business objectives
Talk to the business. Empower your stakeholders. Listen to listen. And when you make a promise or commitment, do everything to keep it. Even if you have to go back and tell them that something isn’t possible after all, still go back and have that conversation (and learn not to overpromise when you’re not absolutely certain). Stakeholder management and setting proper expectations goes a long way to being successful.
And then for the CISO, look at things from a risk based perspective. And when someone comes with a request, rarely answer with a “no”. Instead, answer with “Yes, and…”. Include the and to be the required guardrails or stipulations that you would be comfortable with the request. If possible, give multiple options. Allow the requestor to decide the path forward or if they don’t want to proceed. This makes the decision a joint decision and stops it from being an adversarial relationships.
Q: What can organizations do to get more women into senior level and executive positions? What can companies do to address unconscious bias at all levels of the organization?
How do we get more women into senior and executive positions? Be intentional. We need to get diversity in our organizations. This is also a diversity in thinking. I don’t want to hire anyone who thinks exactly the way I do. I need other thought processes and perspectives, else I’m going to continue to make the same types of decisions that I’ve always made. So I have to be intentional to hire people who do not think the same way I do. So I, like others, need to be quite intentional to require my recruiters to bring me a diverse group of candidates. And then I need to be open to those who have the right mindset, even if they don’t have all the experience that I want. For security, a mindset is more important than technology experience. I can teach someone the technology, yet I cannot teach them how to be curious, skeptical, or persistent.
As for getting people into executive roles, organizations need to require a diverse group of candidates when a role is available.
Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure?
My organization was friendly to a non-traditional office location for our administrative work force. However, it wasn’t exactly ready for everyone to not be able to ever be in the office, and certainly not for a year.
How has this impacted the security? The engagement of users is more interesting. We need to make sure people stay engaged as they are more likely to follow the standards and security awareness when they feel engaged, empowered, and involved.
Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working
One of the most innovative companies we found was one that has enabled us to use our existing cameras within our facilities to allow our health & safety team to monitor the environment. The H&S team can get real-time / near-real-time alerts to unsafe activities. It allows remote monitoring of locations while still being able to detect undesirable activities and incidents.
Benjamin Corll, CISO, Coats
I’ve been in the IT industry for about 25 years now. I started in the US military as a small computer systems specialist, also known as a UNIX systems administrator. Being versed in CLI and IPTables, I was assigned to taking care of the firewalls and perimeter devices. This started a transition from sysadmin to security administrator.
During the dot.com boom, I transitioned from military life into technology consulting. I spent the next several years deploying network and security devices before deciding it was time to settle down and begin building and maturing organizational security programs. I was fortunate enough to be a founding member of the US Postal Service’s Computer Incident Response Team (CIRT) where we built a world-class response organization with engagement with other CIRT/CSIRT/SOC’s around the globe.
After a few years of building programs from a security engineering perspective, I shifted to building programs as an InfoSec Director. This allowed me to shift to a more strategic perspective and build programs that not only focused on risk management and protecting my organizations but also build programs that align security with business objectives.