Blog: Top 5 CISO Security Priorities For 2021

Posted by Pete Thurston
Pete Thurston”

 

 

CISO Talks Shop Subtitles

A recap of the Webinar, CISOs Talk Shop | Data Security in 2021

In a recent webinar, we sat down with three senior security leaders from different industries to discuss their lessons from 2020 and strategies for 2021. Our guests were Thomas Davis, CISO at Terminix (ServiceMaster), Pat Benoit, VP, Global Cyber GRC/BISO at CBRE, and Jonathan Hay, CISO at Cadence Bank. 

In this article, we summarize the conversation from that webinar and highlight some important security takeaways that any organization can learn from:

3 Lessons From 2020 That Informed 2021 Security Priorities

Our speakers opened the webinar by summarizing what they learned in 2020, including some unexpected positives, that drove their security mindsets for 2021. Here are the three lessons that they shared:

  1. Pat Benoit: Focus on the basics instead of shiny objects

One of the big takeaways from 2020 is to always remember that change is constant. The further an organization gets from the security basics to go after shiny objects (such as the latest trend in software), the less prepared it is to deal with a big change like supporting widespread remote access.

  1. Thomas Davis: Always have a strategy

InfoSec should not just be reactive to the business. It should have its own strategy and plan for adding value.

  1. Jonathan Hay: Have extreme agility

Plan to be extremely agile so you can rapidly respond to events. From an InfoSec perspective, this could involve using cloud-native solutions or platforms that allow you to make changes quickly—changes that can be amazingly powerful when applied appropriately.

Top 5 CISO Security Priorities For 2021

With those lessons in mind, the webinar discussion moved into 2021 security strategies, how we can rethink security, what solutions will serve us best in the future, and more. Here’s a synopsis of the top five priorities our guests shared:

  1. Focus On Cloud-Native Solutions

Post-pandemic, many organizations are increasing their emphasis on using cloud-native security products and vendors. Our guests discussed how cloud-native solutions tend to be more agile—security controls can be rapidly changed—and typically offer more forward-thinking functionality and frictionless user experiences.

  1. Push More Boundaries (Securely)

Companies had to innovate overnight and push into new directions, beyond secure perimeters and firewalls, that many considered impossible before. Is a data center necessary? Is it possible to operate without brick-and-mortar branches? Do we need a large headquarters? These are all questions that many companies had to reckon with.

InfoSec teams had to quickly figure out how to protect data that now existed almost exclusively outside the office, while still helping the business innovate to survive. Learning how to get that increased visibility into the cloud, as well as monitor and respond to threats across a much wider landscape, has built the skillset of many InfoSec teams. The CISOs on our panel emphasized they are now better equipped to push boundaries and try new things (and have increased confidence from the business at large to do so), while maintaining a strong security posture.

For example, Cadence Bank deployed new Salesforce financial services solutions in 2020 to quickly meet demand for the Paycheck Protection Program, and to accelerate the modernization of their digital banking operations and client experience.

  1. Embed Security Into the Operating Process

With the nearly instantaneous deployment of a remote workforce, it’s become crystal clear that security by design must be part of an organization’s culture. While the CISO or CIO may be accountable for security, everyone in the organization is responsible it. For 2021 and beyond, the entire company must take security practices very seriously; it’s the InfoSec team’s job to form relationships with line-of-business partners to communicate and build this cultural mindset.

“We're trying to shift that security conversation deep into the beginning of every conversation,” says Patrick Benoit. “We look for those opportunities to get the CISO, or a representative of the CISO, in front of every aspect of the company, as early as possible in any initiative or project or process.”

“Make sure you're having two-way dialog, as well,” added Jonathan Hay. “It is your job to be savvy in information security and bring new concepts to the table. See where new technology and security capabilities could plug in alongside the business strategy. It’s important to have constant conversations about what InfoSec can support from an innovation perspective, as well as the value you're delivering behind the scenes.”

The old way of, ‘Come kiss the ring and I may or may not let you go into production,’ doesn't work anymore,” Thomas Davis continued. “You have to make security valuable to your business and you have to be able to translate it to your audience. If you’re talking to developers about writing code, you need to speak ‘developer.’ If you're talking to line-of-business owners about why we can’t do certain things because of the risk, you need to be speaking in dollars-and-cents, operational language. Everyone's involvement, from the top down, will help drive a mature program.”

  1. Balance Cloud Security Posture & Innovation

The global pandemic did not slow down technological innovation. If anything, it accelerated innovation with a push toward more in the cloud. Many organizations are now taking more of a security by design approach from the outset of projects or processes simply because it is a fact that access will be from the field, in people’s homes. So now, risks are more present and obvious.

Balancing security posture and innovation is tricky, but a clear strategic initiative for CISOs this year. Our webinar guests discussed how they’ve refined their methodologies for getting an understanding of the inherent risks involved with a project, whether that’s building out a platform customization or adopting a new cloud service. And then taking action to mitigate those risks while increasing innovation speed. This typically involves iteratively maturing the security controls and environment, while being cognizant of where sensitive data exists and how it will be affected by changes.

“Design doesn't have to be completed all at once,” Jonathan Hay notes. “It can be an iterative process across the implementation, with toll gates in place for major decisions. For example, if you’re about to move into production and promote sensitive data sets into your environment, everyone will know that InfoSec needs to sign off from a compliance perspective before crossing that toll gate.”

“To be innovative, you also have to have a culture of learning,” says Thomas Davis. “People have to be committed to learning and trying new things, and sometimes that's going to potentially cause problems in your security posture. But, going back to our takeaways from 2020, if you always have a strategy, you’re prepared and can address any problems.”

  1. Manage Risk By Knowing What Data You Have, Where It Exists & Who Can Access It

Our CISO panel talked about how their current security strategies involve both internal and external checks and balances. As organizations innovate, the shared responsibility model may shift more onto their shoulders than they realize. Salesforce is a perfect example because it has a high capacity for and flexibility with massive amounts of data, which has made it a mission-critical platform for many companies. But that flexibility is Salesforce’s superpower and its kryptonite. As organizations innovate and customize on Salesforce, data accessibility increases…and so does risk. As our guests discussed, having an unbiased third party assess what and where information exists in a platform like Salesforce, plus who has access to it, is essential to securing your sensitive data.

This is an on-going effort because information is dynamic—coding changes constantly, and data is there one day and gone the next. As Jonathan Hay so aptly observed in the discussion, “Data is the new gold,” and is often the most valuable asset an organization has, so it must be understood and protected.

“A solution like RevCult can help you identify what data you actually have,” Pat Benoit says. “Once you've identified it, you can take multiple approaches to security and understand where the risk is. Restricting access to a platform like Salesforce doesn’t mean it’s secure. That’s simply identity and access management. An organization needs to mature to the point that its looking at what's happening to that data once somebody has access to it. And that starts with classification and identifying data.”

Watch the webinar, or listen to the podcast

For the complete webinar, click here to watch the on-demand recording and here to listen to the audio on our podcast.

Here's more to explore:

Topics: Salesforce Security & Privacy, Security and Governance, Blog, Articles

Subscribe to the Blog