How CISOs break down complex security challenges
The role of the CISO has evolved into a critical position that encompasses many responsibilities aimed at safeguarding digital assets, preserving data integrity, and mitigating cyber threats. In essence, the role of the CISO is a complex and ever-evolving one that demands a balance of technical expertise, strategic acumen, and leadership skills.
In this Help Net Security interview, Kevin Paige, CISO at Uptycs, provides insights into how he navigates the complex cybersecurity landscape, striking a balance between technical expertise, effective communication, risk management, and adaptive leadership.
As a CISO, how do you balance maintaining technical prowess with the need to communicate complex issues to stakeholders in simple terms?
I have always thought, “You will never understand how to secure something if you don’t understand how it works.” This thought process has driven me to read and educate myself on new technology trends, surround myself with other security technologists and try to stay connected to technology by going deep with my teams.
As a CISO I learned the best way to explain complex issues is with simple metaphors. The strong technical background has provided me with the ability to explain concepts and topics in ways that it’s easier for people to digest.
Despite the ever-present risk of a cyber crisis, many businesses are boldly moving forward and taking on greater risk exposure. How do you manage and integrate cyber resilience efforts across the enterprise in such a context?
There is good risk, and there is bad risk….and just like your cholesterol you need to keep it balanced. An example of good risk is a business going into new markets, or working on new innovative technology. An example of bad risk is not ensuring your business goes into that new market with a plan, or not thoroughly testing and ensuring basic security hygiene of a new innovative technology.
Keeping these worlds balanced is a very tough job as businesses want to move fast, but moving fast without direction does not give a business the velocity it desires and destroys trust. Keeping this trust balance requires good relationships across the enterprise and constant communication.
How have digital initiatives and the rapid adoption of digital transformation impacted your role as a CISO? How do you manage the associated increase in difficulty in ensuring the safety of company and customer data?
I’ve found that many of the internal digital transformation initiatives are focused on efficiency in order to make things more automated, documented or better understood. This helps lower risk and increase efficiency of the enterprise. Where things get tough, though, are when these digital transformations include cloud or SaaS services where no one understands how it works in the current context of capabilities.
Working together closely with technology vendors and cybersecurity companies, the industry can collectively start to close the gap on the increased difficulty. However, the reality is making sure technology products are built with security at the forefront. We need to get to a place where not only the CISO is making sure of this, but the technology leadership teams as well.
In the face of continuous external events testing organizational resilience, what strategies do you employ to keep up despite the challenges?
As leaders in today’s world we have to have leadership, planning and operational styles that focus on 4 key principles. Those principles are:
- Communication: We need to constantly keep communication flowing, so everyone understands the current state of affairs.
- Agility: This is the ability to have the construct in place to know what needs to be done and shift as needed given the current state of things is very important.
- Constant learning: We are going to make mistakes, and we’re also going to score some big wins. It’s important to learn from each experience, good or bad.
- Adaptability: It is often said that the only constant in life is change, yet most organizations handle change poorly. Building adaptability into your planning, such as roadmapping and leadership style helps others deal with the change so that it does not feel like whiplash.
What advice would you give to a newly appointed CISO that needs to explain complex cyber regulations to the board? What strategies do you employ to communicate these details succinctly and effectively?
I would tell them to research your board members. Take a look at their backgrounds, and the industries they have worked in. Are they CFOs of tech companies? CEOs of financial companies? Use that information to tailor your explanation with comparisons of similar regulations across industries, or specific to major news events. This lets the board know you do your homework, and truly understand the issues at hand.