eBay CISO on managing long-term cybersecurity planning and ROI

In this Help Net Security interview, Sean Embry, CISO at eBay, discusses key aspects of cybersecurity leadership. He shares insights on balancing long-term strategic planning with immediate threat response, evaluating the ROI of new technologies, and addressing employee cybersecurity fatigue.

As a CISO, how do you balance long-term strategic cybersecurity investments with immediate tactical threat response?

The most important word here is “balance”, and effective cybersecurity programs need to have a longer-term strategy but be nimble enough to deal with an ever-changing threat environment. One can’t exist without the other.

For longer term planning, we maintain a running three-year roadmap we update annually that accounts for changes to the threat and risk landscape, new business priorities and new technologies and capabilities. This gives us a framework for which we can deliver a more specific annual plan that’s dynamic but always aligned to priorities. And our immediate tactical threat response is managed 24x7x365. While usually contained within the team, it can be expanded across the enterprise to deal with any active or perceived threat. We have an active feedback loop where we continuously evaluate our three-year roadmap based on gaps and opportunities discovered as a result of tactical threat response.

How do you evaluate the ROI of adopting new security technologies and frameworks?

Typically, we look at the problem or risk we are trying to solve or prevent, what the impact would be to the business in terms of costs, availability of services, customer trust and other factors. We conduct proof of concepts to test assumptions, and review the feasibility of the implementation at scale, impact on teams, etc.

If we are building new capabilities internally, we localize the work effort within the security or technology teams to minimize impact across the company. We have found that many of the solutions we have implemented have given us a dual benefit where we not only save the company money but also reduce friction to our customers or employees – some examples include: bot mitigation, cybercrime prevention, account takeover (ATO) reduction, and passwordless technologies.

What’s your perspective on addressing cybersecurity fatigue among employees, especially when rolling out new policies or tools?

I’ve always felt that security and high-priority projects don’t have to compete. This starts with building a culture that embraces good security hygiene at every level of the organization. As a security team, we understand that our teams have many high priorities aside from cybersecurity, but employees also understand that security, compliance and availability of our various platforms are foundational to our performance.

It’s this shared understanding and support that helps us prevent fatigue, and we utilize several mechanisms to ensure our teams are included in our plans:

• We have virtual architecture teams with representation from all of the technology domains where we review the architecture and engineering behind new tools or policies (scalability, access management, compute impact, etc.). Wherever possible, we also try to adopt new standards like passwordless authentication that have a more positive user experience while maintaining strong security practices. We also prioritize automation efforts to reduce manual tasks for our employees.
• We have a Security Champions program with participants from every product domain where they share and take feedback to ensure any policies or tools implemented have the least impact as possible.
• We have a monthly meeting with key stakeholders to review the status of the entire security and compliance portfolio to ensure key stakeholders understand what we are doing, why we are doing it, and where we need their help and influence.

And most importantly, before any major change, we communicate with the entire impacted community of employees and provide resources to ensure there are no impacts to productivity.

How do you navigate the complexities of adhering to multiple cybersecurity regulations?

My view is that cybersecurity is a team sport, and no team will be successful if they lack collaboration and support from every stakeholder group in the business. Legal, IT, HR and other business units, for example, must all work together to ensure that cybersecurity programs are not only understood and embraced in the organization, but that they’re compliant with an evolving regulatory environment.

It’s critical that these key business partners understand security laws, frameworks and standards and align these requirements to the security framework across the business. We have clear policies and standards that integrate requirements from all applicable cybersecurity regulations. We work with teams across the organization to implement these controls and remediate gaps as part of program governance. And we have automation capabilities to detect drift against key hardening controls at scale across the fleet.

What advice would you give to newly appointed CISOs who want to secure executive buy-in for a cybersecurity strategy? How can they explain the ROI?

First and foremost, a new CISO must know they cannot do their job simply sitting behind their desk and watching dashboards. They need to form a broad communications base within the company to understand the state of security and compliance across the entire enterprise (that means hygiene, controls, access, platform security, perimeter security, etc.) and what the business strategy or new high-priority efforts are (e.g. Agentic GPT).

Secondly, a new CISO should understand and be able to communicate the threat landscape, risks, and impacts the company faces and what mitigation controls need to be implemented based upon the company’s risk appetite. It’s important to understand that many hardening efforts will not have an ROI, while others can and do. And for those times where the ROI may be marginal, it is important to also consider less financial-centric metrics like customer trust and brand reputation as part of the ROI conversation.

Read more:

• Liad Shnell, CTO, Rakuten Viber: Choosing the right secure messaging app for your organization
• Stephanie Domas, CISO, Canonical: Debunking myths about open-source security
• Ben de Bont, CISO, ServiceNow: Shaping effective AI governance is about balancing innovation with humanity